summaryrefslogtreecommitdiff
path: root/usr/lib/pkcs11/cca_stdll/README.cca_stdll
diff options
context:
space:
mode:
Diffstat (limited to 'usr/lib/pkcs11/cca_stdll/README.cca_stdll')
-rw-r--r--usr/lib/pkcs11/cca_stdll/README.cca_stdll24
1 files changed, 24 insertions, 0 deletions
diff --git a/usr/lib/pkcs11/cca_stdll/README.cca_stdll b/usr/lib/pkcs11/cca_stdll/README.cca_stdll
new file mode 100644
index 0000000..f535dfa
--- /dev/null
+++ b/usr/lib/pkcs11/cca_stdll/README.cca_stdll
@@ -0,0 +1,24 @@
+
+README for the CCA secure-key token
+
+Kent Yoder <yoder1@us.ibm.com>
+
+ The key used to encrypt private objects on disk is a secure key.
+
+ The key used to encrypt that secure key is based on the hash of the
+USER and SO pins. Therefore it is a clear key and software is used to
+do the encryption/decryption of the secure key.
+
+MK_USER: The secure key used for internal on-disk encryption, encrypted
+ under the USER's PIN by software routines
+
+MK_SO: The secure key used for internal on-disk encryption, encrypted
+ under the SO's PIN by software routines
+
+So, MK_USER and MK_SO contain the same key, encrypted under different PINs
+
+PKCS#11 Notes:
+
+DES/3DES PKCS#11 key objects have the CCA key identifier stored in the CKA_VALUE
+attribute. Usually the CKA_VALUE attribute would hold a plaintext key, however
+in this case, the id used to reference the secure key is stored here.
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-18 12:42:23 +0000