Editing Virtual HSM

Jump to: navigation, search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision Your text
Line 14: Line 14:
 
=== VHSM virtual environment ===
 
=== VHSM virtual environment ===
 
[[File:VHSM_data_encryption.png|thumb|right|400px|Fig. 2 — Data encryption in the VHSM]]
 
[[File:VHSM_data_encryption.png|thumb|right|400px|Fig. 2 — Data encryption in the VHSM]]
The VHSM VE contains the secure storage which is the database that stores the sensitive data in the encrypted form while other data (refer the table below) are stored unencrypted. The encryption key (master key) is derived from the user password using [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] and not stored in database. Utilizing PBKDF2 reduces the brute-force attack rate significantly if the database is compromised. The following table lists data that stored in the VHSM:
+
The VHSM VE contains the secure storage which is the database that stores the sensitive data in the encrypted form while other data (refer the table below) are stored unencrypted. The encryption key (master key) is generated from the user password using [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] and not stored in database. Utilizing PBKDF2 reduces the brute-force attack rate significantly if the database is compromised. The following table lists data that stored in the VHSM:
 
{|class="standard" border="1"
 
{|class="standard" border="1"
 
  !Data
 
  !Data
Line 78: Line 78:
 
The GCM mode guarantees integrity and confidentiality of the user data and therefore makes it possible to authenticate the encryption key derived from the user password. The VHSM uses this feature for user authentication. Registration process is shown in the [[Media:Vshm_user_registration.png|Fig. 3]].
 
The GCM mode guarantees integrity and confidentiality of the user data and therefore makes it possible to authenticate the encryption key derived from the user password. The VHSM uses this feature for user authentication. Registration process is shown in the [[Media:Vshm_user_registration.png|Fig. 3]].
  
A user is authenticated ([[Media:Vhsm_user_auth.png|Fig. 4]]) using the login/password pair and the container ID (VEID) where authentication request is received from. When a user is registered it's bound to the set of containers authorised to access VHSM API. If the user attempts to access to the VHSM from a non-authorized container the request is refused.
+
A user is authenticated ([[Media:Vhsm_user_auth.png|Fig. 4]]) using the login/password pair and the container ID (VEID) where authentication request is received from. When a user is registered it's bound to the set of containers where one can get access to the VHSM from. If the user attempts to access to the VHSM from a non-authorized container the request is refused.
  
 
=== Transport ===
 
=== Transport ===

Please note that all contributions to OpenVZ Virtuozzo Containers Wiki may be edited, altered, or removed by other contributors. If you don't want your writing to be edited mercilessly, then don't submit it here.
If you are going to add external links to an article, read the External links policy first!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)