From owner-freebsd-security@FreeBSD.ORG Wed Mar 11 22:52:52 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A961106564A for ; Wed, 11 Mar 2009 22:52:52 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id E02338FC13 for ; Wed, 11 Mar 2009 22:52:51 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from [212.62.248.148] (helo=[192.168.2.173]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69 (FreeBSD)) (envelope-from ) id 1LhWwd-0000P3-12; Wed, 11 Mar 2009 23:30:35 +0100 Message-Id: <6F15EC76-7AC8-4C63-98B9-9CA9B5B9D6EA@anduin.net> From: =?ISO-8859-1?Q?Eirik_=D8verby?= To: Ed Sykes In-Reply-To: <49B8263A.3000006@opnet.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v931) Date: Wed, 11 Mar 2009 23:30:37 +0100 References: <49B8263A.3000006@opnet.com> X-Mailer: Apple Mail (2.931) Cc: freebsd-security@freebsd.org Subject: Re: HSM devices and FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 11 Mar 2009 22:52:52 -0000 On 11. mars. 2009, at 21.59, Ed Sykes wrote: > I am essentially asking the same question that Eirik Overby asked a > couple of years ago. Is anyone aware of PCI-X/PCIe hardware > security modules that are supported on FreeBSD? I have not seen any > on the FreeBSD hardware compatibility lists. Again, as Eirik noted > in his question, HSMs are not simply crypto accelerators (which are > supported on FreeBSD), they also are a means of storing keys with > physical, tamper-resistant security. Thanks for re-iterating this question. I now work for the software developer I previously accused of leaving us in the dust, and have managed to convert the company to using FreeBSD as our primary hosting platform ;) The problem with supported HSM devices, however, lingers. For one device (Thales RG8000), we've done our own software (Java) implementation of their communications library, specific to our application. This is a network-attached device. For the other device we use (Thales WebSentry), we're using the Linux pkcs#11/openssl engine implementation and associated openssl binaries, along with our internal tools compiled on Linux. All this under Linux emulation on FreeBSD. This works - so far - well, however it is impossible to use Java JNI to interface with Linux binaries, so we're still at a disadvantage. So the question still stands - Are there HSM devies out there, internal or external, with proper FreeBSD support? /Eirik