Hi, I’m working on a project in which I need to interact between a Java-based fat client software and a Yubikey. Some brief background;
The software will need to store encrypted files on the machine it’s executing on, the files should only be able to be read by the software itself. Of course we cannot keep the key as plain text in the software, so instead wish to require the presence of the yubikey to allow decryption somehow.
Thus far the planned model of this is; - Encrypt/decrypt with a symmetric AES-key/algorithm. - Encrypt the AES key and ship that with the software. - When files need to be encrypted: require a touch on the yubikey/password to decrypt the AES key, use the key to decrypt the files.
The first step I already have working, but the last two are a bit trickier. I have a hard time finding any information about how one would go around implementing this. Could this be done using the OpenPGP applet (we have multiple yubikey 4-keys) and interacting to the smart card using the javax.smartcardio API? I'm thinking a private RSA-key stored on the yubikey and having the AES-key encrypted with the corresponding public-key and store that on the client-software. In case anyone wonders, we're using Java 1.7.
Perhaps I’ve missed something and that there exists a far better solution for this?
Thanks! Staffan
|