Editing Virtual HSM
Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.
The edit can be undone.
Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 14: | Line 14: | ||
=== VHSM virtual environment === | === VHSM virtual environment === | ||
[[File:VHSM_data_encryption.png|thumb|right|400px|Fig. 2 — Data encryption in the VHSM]] | [[File:VHSM_data_encryption.png|thumb|right|400px|Fig. 2 — Data encryption in the VHSM]] | ||
− | The VHSM VE contains the secure storage which is the database that stores the sensitive data in the encrypted form while other data (refer the table below) are stored unencrypted. The encryption key (master key) is | + | The VHSM VE contains the secure storage which is the database that stores the sensitive data in the encrypted form while other data (refer the table below) are stored unencrypted. The encryption key (master key) is generated from the user password using [http://en.wikipedia.org/wiki/PBKDF2 PBKDF2] and not stored in database. Utilizing PBKDF2 reduces the brute-force attack rate significantly if the database is compromised. The following table lists data that stored in the VHSM: |
{|class="standard" border="1" | {|class="standard" border="1" | ||
!Data | !Data | ||
Line 78: | Line 78: | ||
The GCM mode guarantees integrity and confidentiality of the user data and therefore makes it possible to authenticate the encryption key derived from the user password. The VHSM uses this feature for user authentication. Registration process is shown in the [[Media:Vshm_user_registration.png|Fig. 3]]. | The GCM mode guarantees integrity and confidentiality of the user data and therefore makes it possible to authenticate the encryption key derived from the user password. The VHSM uses this feature for user authentication. Registration process is shown in the [[Media:Vshm_user_registration.png|Fig. 3]]. | ||
− | A user is authenticated ([[Media:Vhsm_user_auth.png|Fig. 4]]) using the login/password pair and the container ID (VEID) where authentication request is received from. When a user is registered it's bound to the set of containers | + | A user is authenticated ([[Media:Vhsm_user_auth.png|Fig. 4]]) using the login/password pair and the container ID (VEID) where authentication request is received from. When a user is registered it's bound to the set of containers where one can get access to the VHSM from. If the user attempts to access to the VHSM from a non-authorized container the request is refused. |
=== Transport === | === Transport === | ||
Line 170: | Line 170: | ||
* VHSM VE: <tt>vhsm</tt> | * VHSM VE: <tt>vhsm</tt> | ||
* Client VE: <tt>libvhsmapi.a, vhsm_admin</tt> | * Client VE: <tt>libvhsmapi.a, vhsm_admin</tt> | ||
− | * Host: <tt>vhsm_transport.ko, vhsm_admin | + | * Host: <tt>vhsm_transport.ko, vhsm_admin</tt> |
== Usage == | == Usage == | ||
To run VHSM perform the following steps: | To run VHSM perform the following steps: | ||
− | # Insert transport module: <code>insmod vhsm_transport.ko vhsm_veid=[veid]</code> where <code>[veid]</code> is VEID of the VHSM container | + | # Insert transport module: <code>insmod vhsm_transport.ko vhsm_veid=[veid]</code> where <code>[veid]</code> is VEID of the VHSM container |
# Start VHSM in the VHSM container: <code>vhsm /path/to/storage</code>. You can init secure storage and create <tt>root</tt>-user on the first run | # Start VHSM in the VHSM container: <code>vhsm /path/to/storage</code>. You can init secure storage and create <tt>root</tt>-user on the first run | ||
# Add VHSM users from host: <code>vhsm_admin user create <admin login> <admin password> [options...]</code>. Run <code>vhsm_admin help</code> for details. | # Add VHSM users from host: <code>vhsm_admin user create <admin login> <admin password> [options...]</code>. Run <code>vhsm_admin help</code> for details. | ||
# Now you can use VHSM from client VEs | # Now you can use VHSM from client VEs | ||
− | |||
− | |||
− | |||
− | |||
− |