Formed in 2009, the Archive Team (not to be confused with the archive.org Archive-It Team) is a rogue archivist collective dedicated to saving copies of rapidly dying or deleted websites for the sake of history and digital heritage. The group is 100% composed of volunteers and interested parties, and has expanded into a large amount of related projects for saving online and digital history.
Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upAdd PKCS11 KMSClient #322
Open
Add PKCS11 KMSClient #322
Conversation
rbroggi
commented
Mar 21, 2020
•
|
Nice one |
|
For sure. Happy to toss in a few other languages, but Go is my language of choice these days :) |
Closed
|
It's nice to see HSM support for Tink. Looking forward for this change to be included! |
|
Sorry for the delayed clean up, just got a chance to get back to this. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
solcates commentedMar 15, 2020
This PR adds a PKCS11 KMSClient to tink using AES256GCM for those that would like to leverage an HSM for their key management and key entropy.
It uses the crypto11 library to expose simple Go crypto interfaces to a PKCS11 device (HSM, Token, SoftHSM, etc...)
The keyURI introduced is pkcs11://KeyID in where KeyID is a unique ID in your device (ID only, labels currently not allowed).
The README.md goes into some details about the 2 modes of operation, as well as some basic benchmarks using both HSM and Wrapped keys as your tink.AEAD.
P.S. - I have struggled to get Bazelisk to build the project, so hopefully the bazel modifications work for someone with a working Bazel environment.