Skip to content

Generate keys in a YubiHSM

Once we have the basic ability to sign using OpenPGP keys in a YubiHSM (#1099), we need to be able to configure Debusine to generate keys there by default.

However, this is a broader issue than just OpenPGP: at the moment we can manually register pre-generated keys on a PKCS#11 token, but we have no way to generate keys there to begin with. Since HSMs normally have quite low limits on the number of objects that can be stored on the module, we need to export generated keys under wrap (i.e. encrypted using a key-encryption key known to the module) and import them back into the module on demand, perhaps unimporting them on a least-recently-used basis.

We need at least:

  • ProtectedKeyPKCS11Dynamic, describing a private key held on a PKCS#11 token but exported under wrap, storing the exported form in the signing database, and managing the import-on-demand logic
  • Signing worker configuration describing an attached YubiHSM that can be used for key generation
  • Mechanisms to generate UEFI and OpenPGP keys on a YubiHSM
  • Additional data for the GenerateKey task to describe how the new key is to be protected (can default to NaCl)
  • Additional data for the update_suites workflow to describe how newly-generated repository signing keys are to be protected (can default to NaCl, and can be applied using task configuration)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information