8 Zář
2021
8 Zář
'21
19:13
Thanks. The situation that I am addressing is that of a key roll over. My
guess is that when such an event takes place Knot will automatically remove
the obsolete key from the KASP, but not from the HSM. Which, in the case of
SoftHSM, implies that keys will be added to the corresponding token
directory indefinitely. I am guessing that a judicious use of keymgr list
and keymgr delete will enable an administrator to remove old keys from the
HSM - but it will have to be done by hand: Knot will not do so on its own.
Is this a correct view of the way things are?
On Wed, Sep 8, 2021 at 9:29 AM libor.peltan <libor.peltan(a)nic.cz> wrote:
Hi Luveh,
when just re-signing the zone, Knot does not need to generate any newer
key pairs. It's just still using the key pair it has generated initally
(for each zone separately).
Only in the case of ZSK and KSK rollovers, when the keys (ZSK and KSK,
respectively) reach their configured lifetime, new keys are generated and
old are rolled-over (in a bit complicated, multi-step process) and deleted
afterwards, so that in usual case, only 2 keys per zone are present.
In case of single-type signing scheme, it's just one key per zone (CSK).
Anyway, any keys can be deleted (if needed) by the keymgr utility. One
just needs to check that the key being deleted is not needed anymore ;)
Libor
Dne 08. 09. 21 v 17:23 Luveh Keraph napsal(a):
When Knot generates a key pair, it will save it in some directory in the
filesystem - in the clear, when using the default cryptographic provider,
or as an encrypted blob when using SoftHSM, or (possibly) a real HSM.
Imagine that I have a setup with many zones, with a signing policy that
causes them to be re-signed often - say, every hour or so. This implies
that new key pairs will be generated all the time.
My question is, how does Knot manage key pairs that it does not need any
more? It does not seem to remove them automatically. Does it provide any
mechanisms or tools to do so?