Skip to content

Document the HSM Daemon #802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
settermjd merged 25 commits into from
May 8, 2019
Merged

Document the HSM Daemon #802

settermjd merged 25 commits into from
May 8, 2019

Conversation

@settermjd
Copy link
Contributor

@settermjd settermjd commented Mar 22, 2019
edited
Loading

I'm not quite sure if this is what you want, but I've done my best to take the existing hsmdaemon documentation, to work through it and revise it, where necessary; after which I've integrated it into the ownCloud docs.

@sharidas, can you let me know if it goes far enough, or if something is missing?

This fixes #586.

@settermjd settermjd self-assigned this Mar 22, 2019
@settermjd settermjd requested a review from sharidas March 22, 2019 13:13
sharidas
sharidas reviewed Mar 22, 2019
View reviewed changes
Copy link

@sharidas sharidas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This document looks excellent 👍 One small comment added regarding the PR mentioned.

@mmattel
Copy link
Contributor

mmattel commented Mar 24, 2019
edited
Loading

Not everyone is aware about the term HSM. I would therefore take the long name Hardware Security Module into the navigation and page header and then continue with the abbreviation HSM.

@settermjd settermjd force-pushed the document-hsmdaemon branch 2 times, most recently from 7a6dde4 to 7642b88 Compare March 25, 2019 11:01
mmattel
mmattel reviewed Mar 25, 2019
View reviewed changes
@settermjd settermjd requested a review from butonic March 29, 2019 10:24
sharidas
sharidas previously approved these changes Apr 1, 2019
View reviewed changes
Copy link

@sharidas sharidas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@mmattel
Copy link
Contributor

mmattel commented Apr 1, 2019
edited
Loading

Before merging, pls see my comment #802 (comment)

Update: solved

@settermjd settermjd force-pushed the document-hsmdaemon branch from 80b6577 to 320f297 Compare April 2, 2019 12:35
@settermjd settermjd mentioned this pull request Apr 18, 2019
Closed
12 tasks
@settermjd
Copy link
Contributor Author

settermjd commented May 6, 2019
edited
Loading

@butonic, have I understood you correctly with the changes made in ffda10b?

@butonic
Copy link
Member

butonic commented May 7, 2019
edited
Loading

@settermjd one more thing:

When using hsmdaemon with an HSM, the keys are not stored on the same physical machine as ownCloud.

When using hsmdaemon with an HSM, the keys can be stored on a different physical machine as ownCloud.

Sorry for nitpicking: the keys may actually land on the same machine. The HSM might only be used to decrypt them. I think rephrasing with can is a good way to describe the situation.

@settermjd
Copy link
Contributor Author

settermjd commented May 7, 2019
edited
Loading

@butonic, with respect to #802 (comment), please do nit-pick. I'm all for it to ensure 100% accuracy and quality of the documentation. However, that change likely invalidates the two sentences that follow after.

@settermjd
Copy link
Contributor Author

settermjd commented May 7, 2019

@butonic, can you review 605db58 pls?

@butonic
Copy link
Member

butonic commented May 7, 2019
edited
Loading

@settermjd hm that sounds confusing ... why point out that there is still insecurity left ...

When using hsmdaemon with an HSM, the keys can be stored on a different physical machine as ownCloud.

Sounds more positive, doesn't it? I feel that it conveys the idea of moving the keys elsewhere. If it really happens depends on the implementation details of the HSM. We shouldn't bother going into that, otherwise we might have to go into the details of individual HSM modules and how and where they store key material. I think it still makes sense to give SoftHSM2 as an example later, together with the corresponding threat model.

@settermjd
Copy link
Contributor Author

settermjd commented May 7, 2019

Okay. That sounds fair to me.

@settermjd settermjd force-pushed the document-hsmdaemon branch from 605db58 to 7f511d8 Compare May 7, 2019 14:14
@settermjd
Copy link
Contributor Author

settermjd commented May 7, 2019

@butonic, change made.

@settermjd settermjd force-pushed the document-hsmdaemon branch from 705083a to 7bcc417 Compare May 8, 2019 10:51
@settermjd settermjd merged commit 16f38a3 into master May 8, 2019
@delete-merged-branch delete-merged-branch bot deleted the document-hsmdaemon branch May 8, 2019 12:30
settermjd added a commit that referenced this pull request May 8, 2019
@settermjd
[10.2] [PR 802] Document the HSM Daemon
813933b 
Backport of PR #802
settermjd added a commit that referenced this pull request May 8, 2019
@settermjd
[10.2] [PR 802] Document the HSM Daemon (#1168)
8562637 
Backport of PR #802
@settermjd settermjd mentioned this pull request May 8, 2019
Merged
settermjd added a commit that referenced this pull request Jul 22, 2019
@settermjd
Document the HSM Daemon (#802)
8cf5027 
* Document the HSM Daemon

* Heavily reworked the hsmdaemon documentation

- Provide installation instructions on all supported distributions
- Remove duplicate content
- Provide configuration file and binary path information
- Add admonitions to make the content clearer and simpler
- Add in-page navigation lists to make movement more efficient

This fixes #586.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mmattel mmattel mmattel left review comments

+4 more reviewers

@sharidas sharidas sharidas left review comments

@patrickjahns patrickjahns patrickjahns left review comments

@pmaier1 pmaier1 pmaier1 left review comments

@butonic butonic butonic approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@settermjd settermjd

Labels

admin docs enhancement New feature or request waiting on feedback

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

How to enable HSM with encryption

7 participants

@settermjd @mmattel @pmaier1 @sharidas @butonic @patrickjahns