Yubico Forum ...visit our web-store at 2015-07-14T17:58:19+01:00 https://forum.yubico.com/feed.php?f=22&t=1955 2015-07-14T17:58:19+01:00 2015-07-14T17:58:19+01:00 https://forum.yubico.com/viewtopic.php?t=1955&p=7574#p7574 <![CDATA[Re: hsm internal database, otp counters]]> bmwt wrote:

Howdy folks,

I'm assuming my other (only?) option is to run my own validation service on each node, continue to sync the yubi_val's postgress tables out of band, and store the keys as AEAD blobs (generated on the controlling workstation) on the validators' filesystems, and sync those using normal unix methods?


I've been going down this route. I've initialized an HSM, and set an AEAD AES key. I've used yhsm-generate-keys to create a key. I can get the secret out with yhsm-decrypt-aead, *using the aes key on the command line.* Do i really need to store that AES key in the clear somewhere to decrypt the blobs to provision yubikeys? Is there a flag im missing to have the HSM use the internal copy of the key?

thanks,

-bmwt

Statistics: Posted by bmwt — Tue Jul 14, 2015 5:58 pm

]]> 2015-07-07T23:17:51+01:00 2015-07-07T23:17:51+01:00 https://forum.yubico.com/viewtopic.php?t=1955&p=7534#p7534 <![CDATA[hsm internal database, otp counters]]>
I'm wrapping my mind around how best to utilize the yubihsm in my environment. We're implementing two servers (east coast, west coast) for use as two factor radius appliances:

Freeradius -> pam -> pam_yubi -> localhost validation server -> localhost ksm
(there's also a pam_ldap and a local ldap replica, to provide a second factor)

In order to prevent a chicken/egg problem during disasters, we're doing everything possible to stack all these services on a single host, which is then replicated for geographic redundancy.

Without the HSM, we need to manually load keys into each node's database (postgres), separately sync the validator's database to keep OTP counters accurate on both systems. As i understand it, the HSM module offers the possibility to use the device's internal database to store. Am I correct in assuming i can *not* use that internal database unless i want to restrict to the one unit? Is there a way to sync the internal counters of the database?

I'm assuming my other (only?) option is to run my own validation service on each node, continue to sync the yubi_val's postgress tables out of band, and store the keys as AEAD blobs (generated on the controlling workstation) on the validators' filesystems, and sync those using normal unix methods?

(forgive me if I'm missing something obvious, still trying to wrap my head around the documentation)

thanks!

-bmwt

Statistics: Posted by bmwt — Tue Jul 07, 2015 11:17 pm

]]>