From e352de80516bcfaa2ca001238c1eec46268ac886 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Fri, 22 Mar 2019 13:19:25 +0100
Subject: [PATCH 01/15] Document the HSM Daemon

This fixes #586.
---
 modules/admin_manual/nav.adoc                 |   1 +
 .../server/security/hsmdaemon.adoc            | 514 ++++++++++++++++++
 2 files changed, 515 insertions(+)
 create mode 100644 modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc

diff --git a/modules/admin_manual/nav.adoc b/modules/admin_manual/nav.adoc
index d40d665620..48956eecea 100644
--- a/modules/admin_manual/nav.adoc
+++ b/modules/admin_manual/nav.adoc
@@ -64,6 +64,7 @@
 **** Security
 ***** xref:configuration/server/security/password_policy.adoc[Password policy]
 ***** xref:configuration/server/security/oauth2.adoc[OAuth2]
+***** xref:configuration/server/security/hsmdaemon.adoc[The HSM Daemon]
 **** xref:configuration/server/activity_configuration.adoc[Activity Configuration]
 **** xref:configuration/server/antivirus_configuration.adoc[Antivirus Configuration]
 **** xref:configuration/server/automatic_configuration.adoc[Automatic Configuration]
diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
new file mode 100644
index 0000000000..59b6727ed1
--- /dev/null
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -0,0 +1,514 @@
+= The HSM Daemon (hsmdaemon)
+:hsm-url: https://en.wikipedia.org/wiki/Hardware_security_module
+:base64-encoding-url: https://en.wikipedia.org/wiki/Base64
+:pkcs11-url: https://en.wikipedia.org/wiki/PKCS_11
+
+The hsmdaemon is a daemon to delegate encryption to an {hsm-url}[HSM (Hardware Security Module)].
+It can be necessary, as PHP cannot directly interface with {pkcs11-url}[a PKCS11 stack]; neither by an API wrapper, because one does not exist, yet, nor via the OpenSSL bindings
+Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM. 
+
+Running exec() to decrypt the key with a command line command to do the encryption might leak the HSM credentials if the admin lists the currently running processes. 
+To prevent that an "HSM" daemon will be used that can open a session to the HSM upon startup. 
+This daemon will be used by ownCloud to decrypt the current master key upon request. 
+The communication will happen via UNIX or TCP sockets and is authorized by a shared token that the daemon stores in the ownCloud database via a REST/JSON route.
+
+ownCloud internally uses OpenSSL to en-/decrypt keys and needs to be extended to support en-/decrypt operations via the new daemon. 
+The current solution would be to encrypt the current ownCloud master key with a key from the HSM. 
+Doing so only requires patching `KeyManagers` `getMasterKeyPassword()` and `getSystemPrivateKey()` methods to decrypt the key read from disk.
+
+== How The HSM Daemon Interacts with ownCloud
+
+Upon startup, the daemon will generate a token and send it to ownCloud via a new REST/JSON route. 
+After connecting with the HSM daemon, an unsophisticated, line-based, protocol is used (every line ends with CRLF):
+
+. ownCloud sends the token read from database.
+. The daemon compares the received token with its token and returns an `"OK"` line.
+. ownCloud then sends the data it wants to decrypt as a {base64-encoding-url}[Base64-encoded], one-line string.
+. The daemon returns the decrypted data as a Base64-encoded one-line string.
+
+Doing so ensures that an evil admin will need to wiretap the communication between either the database or the HSM daemon and ownCloud.
+
+== Installation
+
+=== Overview
+
+HSM support consists of three main parts: 
+
+. An actual HSM PKCS11 module 
+. The hsmdaemon that provides a JWT protected web API for the PKCS11 stack to generate key pairs and decrypt data 
+. A patch to the ownCloud encryption app
+
+All commands are assumed to be executed as root unless stated otherwise.
+
+=== Deployment and Resource Usage
+
+We recommend running hsmdaemon on every Apache server to reduce latency. 
+The daemon uses few resources:
+
+[source,console]
+----
+$ ps aux --sort -rss | head -1
+USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
+$ ps aux --sort -rss | grep hsm | grep -v grep
+root     19568  0.0  0.0 231052  2608 ?        Ssl  Feb08   0:00 /home/jfd/Repositories/hsmdaemon/hsmdaemon
+----
+
+=== Installing a PKCS11 Module
+
+==== Using a Preconfigured PKCS11 Module
+
+At least one PKCS11 library is necessary. Ask the customer for the path to a fully configured PKCS11 module. 
+The HSM vendor typically provides the PKCS11 module, e.g., `/opt/nfast/toolkits/pkcs11/libcknfast.so` for Thales nShield.
+
+If none is available, you can follow the below optional steps to install a software HSM.
+
+==== [optional] Installing SoftHSM 2
+
+On Debian, two packages are available: `softhsm` and `softhsm2`. 
+Install `softhsm2` with
+
+[source,console]
+----
+apt install softhsm2
+----
+
+Installing them also installs `/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so`, which is a module that we will need later, for interaction with the PKCS11 API.
+The Debian location of the config file is `/etc/softhsm/softhsm2.conf`:
+
+[source,ini]
+....
+# SoftHSM v2 configuration file
+
+directories.tokendir = /var/lib/softhsm/tokens/
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = INFO
+....
+
+Make sure the `directories.tokendir` exists.
+Now we can initialize the token:
+
+[source,console]
+----
+softhsm2-util --init-token --slot 0 --label "My token 1"
+----
+
+It will ask for two PINs, a user and SO pin.
+See https://www.opendnssec.org/softhsm/, for more information.
+
+==== [optional] Installing PKCS11 CLI tools
+
+To use the PKCS11 API on the CLI, we install `opensc` with:
+
+[source,console]
+----
+apt install opensc
+----
+
+Now we can list the tokens with
+
+[source,console]
+----
+pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so -l --pin 1234 -O
+----
+
+The module parameter is the library provided by the HSM vendor; in this case, it was installed with SoftHSM 2.
+See https://github.com/OpenSC/OpenSC/wiki for more information.
+
+=== Installing the hsmdaemon
+
+Installing hsmdaemon requires several steps. 
+These are:
+
+. xref:install-the-binary[Install the Binary]
+. xref:install-the-system-service[Install the System Service]
+. xref:copy-the-config-file[Copy the Config File]
+. xref:configure-the-pkcs11-module-path[Configure the PKCS 11 Module Path]
+. xref:configure-slot-and-pin[Configure Slot and Pin]
+. xref:test-key-generation[Test Key Generation]
+. xref:configure-other-options[Configure Other Options]
+. xref:owncloud-setup[ownCloud Setup]
+
+==== Install the Binary
+
+To install the hsmdaemon, you first need to install the package’s dependencies, stored in `go.mod`. To install them, run `go get`. 
+The command should not show any console output and take no more than a few minutes.
+
+Once the package dependencies are installed, you next need to compile hsmdaemon. 
+To do this, use the command: `make install`, which creates the hsmdaemon binary in the `bin` directory of your `$GOPATH`, naming it `hsmdaemon`.
+After compilation, you need to make the file executable and move it to a directory located in your system path.
+
+If you are not sure which directories are in your system path, run the following script to see a complete list:
+
+[source,console]
+----
+OFS=$IFS && IFS=':'
+for i in $(echo $PATH); do echo $i; done;
+IFS=$OFS;
+----
+
+You should see a list similar to the following:
+
+[source,console]
+----
+/usr/local/sbin
+/usr/local/bin
+/usr/sbin
+/usr/bin
+/sbin
+/bin
+----
+
+===== Installation Example
+
+To save time, copy and paste the commands below to compile the hsmdaemon.
+
+[source,console]
+----
+# Install hsmdaemon's dependencies
+go get
+
+# Compile hsmdaemon
+make install
+
+# Make the file executable
+chmod +x hsmdaemon
+----
+
+==== Install the System Service
+
+Now that the binary is available, hsmdaemon must be installed as a system service. 
+To do this, run it with the `install` option, as in the example below.
+
+[source,console]
+----
+$ ./hsmdaemon install
+----
+
+If it installs successfully, then you should see the following console output:
+
+....
+Install HSM Daemon:                                     [  OK  ]
+....
+
+==== Copy the Config File
+
+Now that the hsmdaemon is ready, its config file needs to be prepared. 
+The default location that hsmdaemon looks for its config file is `/etc/hsmdaemon/hsmdaemon.toml`. 
+To create it from the example config file available in the cloned repository, run the following commands.
+
+[source,console]
+----
+$ mkdir /etc/hsmdaemon                              # Create the hsmdaemon configuration directory
+$ cp hsmdaemon.toml /etc/hsmdaemon/hsmdaemon.toml   # Copy the example config file
+$ chown root /etc/hsmdaemon/hsmdaemon.toml          # Set the owner of the file to root
+$ chmod 750 /etc/hsmdaemon/hsmdaemon.toml           # Allow only the root and users in the root group to read & write the configuration file
+----
+
+Have a look at the options of the executable:
+
+[source,console]
+----
+$ hsmdaemon help
+Usage: hsmdaemon install | remove | start | stop | status | listslots | genkey <label> | showkey <id> | parsekey | encrypt <id> <base64> | version
+----
+
+==== Configure the PKCS11 Module Path
+
+To set the path to the PKCS11 module, update the line below in `/etc/hsmdaemon/hsmdaemon.toml`, with the appropriate path on your system.
+
+....
+[pkcs11]
+module = "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so" # softhsm v2
+....
+
+==== List Available Slots
+
+This command lists the available slots.
+
+[source,console]
+----
+$ hsmdaemon listslots
+{"level":"debug","ts":"2019-02-14T09:27:02.068+0100","caller":"hsmdaemon/keymanager.go:27","msg":"initialize pkcs11 module","module":"/usr/lib/softhsm/libsofthsm2.so"}
+{"level":"info","ts":"2019-02-14T09:27:02.087+0100","caller":"hsmdaemon/keymanager.go:65","msg":"Slots found","slotIds":[550099622,1989683358,2]}
+Available slots:
+Slot: 550099622,
+    Slot info:
+        Description:      SoftHSM slot ID 0x20c9daa6
+        Manufacturer ID:  SoftHSM project
+        Hardware version: 2.2
+        Firmware version: 2.2
+        Token present:    yes
+        Flags:
+    Token info:
+        Manufacturer ID:    SoftHSM project
+        Model:              SoftHSM v2
+        Hardware version:   2.2
+        Firmware version:   2.2
+        Serial number:      e8ba06bca0c9daa6
+        Initialized:        yes
+        User PIN init.:     yes
+        Label:              oc token without pin
+        MaxSessionCount:    0
+        SessionCount:       18446744073709551615
+        MaxRwSessionCount:  0
+        RwSessionCount:     18446744073709551615
+        MaxPinLen:          255
+        MinPinLen:          4
+        TotalPublicMemory:  18446744073709551615
+        FreePublicMemory:   18446744073709551615
+        TotalPrivateMemory: 18446744073709551615
+        FreePrivateMemory:  18446744073709551615
+        UTCTime:            2019021408270200
+        Flags: CKF_RNG CKF_LOGIN_REQUIRED CKF_RESTORE_KEY_NOT_NEEDED CKF_USER_PIN_COUNT_LOW
+Slot: 1989683358,
+    Slot info:
+        Description:      SoftHSM slot ID 0x7698289e
+        Manufacturer ID:  SoftHSM project
+        Hardware version: 2.2
+        Firmware version: 2.2
+        Token present:    yes
+        Flags:
+    Token info:
+        Manufacturer ID:    SoftHSM project
+        Model:              SoftHSM v2
+        Hardware version:   2.2
+        Firmware version:   2.2
+        Serial number:      a7b6bdaf7698289e
+        Initialized:        yes
+        User PIN init.:     yes
+        Label:              SoftHSM token for oc
+        MaxSessionCount:    0
+        SessionCount:       18446744073709551615
+        MaxRwSessionCount:  0
+        RwSessionCount:     18446744073709551615
+        MaxPinLen:          255
+        MinPinLen:          4
+        TotalPublicMemory:  18446744073709551615
+        FreePublicMemory:   18446744073709551615
+        TotalPrivateMemory: 18446744073709551615
+        FreePrivateMemory:  18446744073709551615
+        UTCTime:            2019021408270200
+        Flags: CKF_RNG CKF_LOGIN_REQUIRED CKF_RESTORE_KEY_NOT_NEEDED
+----
+
+==== Configure Slot and Pin
+
+Ask the customer which slot to use and if a PIN is needed. 
+Update `/etc/hsmdaemon/hsmdaemon.toml` with the information that the customer provides, in the `pkcs11` section, as in the example below.
+
+....
+[pkcs11]
+module = "/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so" # softhsm v2
+pin = "1234"          # The user pin supplied when running softhsm2-util --init-token, comment it out , or leave empty if no pin is necessary
+slot = 1989683358     # Find your slot id with `sudo hsmdaemon listslots`
+....
+
+==== Test Key Generation
+
+*Note:* If no PIN is supplied, generating a new key might be protected by an operator card that has to be inserted in the HSM. In this case, coordinate testing and final master key generation with the customers HSM team.
+
+For testing key generation, run the command `hsmdaemon genkey test`, as in the following example.
+
+[source,console]
+----
+$ hsmdaemon genkey test
+Id: 9bac3719-2b8d-11e9-aeab-0242b5ece4c3, label: test
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl1BO4vsI+xDk+x0nccl7
+HQhMR/hwfa0+N8fyYNI8yzTTmYDqz9aaF20qG48+mjC0AUEt2kfKo94xM3UeEw4c
+st4j1dpRJtmAJThcuN8OH3sa+3MeXWgGuWxjB1lxEEOqax2A6XzllDlbDsogwkOL
+hSkUU9AaMRBtF8fASJGtJDP+iXwdb7OsFg78PS1wBAISYSUwk06xY7LwWIxge+hY
+4oU+5x4itusdO6rz6kbcJtmUyDUb8DhKnN6OdkhnifUZLBG9HQyTa5OM+BAabbFZ
+mTM2gZlUnGKXN7c4kaBPFt1IfjjVYu7pvj3B2uxUf4GywuSuWGWnAy89FqeXteRV
+jwIDAQAB
+-----END PUBLIC KEY-----
+----
+
+==== Testing Data Encryption
+
+For testing data encryption, run the `hsmdaemon encrypt` command, as in the following example.
+
+[source,console]
+----
+The first argument is the "Id:" value from running the genkey command above.
+$ sudo hsmdaemon encrypt 9bac3719-2b8d-11e9-aeab-0242b5ece4c3 Zm9vYmFy
+----
+
+If successful, you should see output similar to the below example.
+
+[source,console]
+----
+{"level":"debug","ts":"2019-03-20T12:43:40.540+0100","caller":"hsmdaemon/keymanager.go:27","msg":"initialize pkcs11 module","module":"/usr/lib/softhsm/libsofthsm2.so"}
+{"level":"debug","ts":"2019-03-20T12:43:40.545+0100","caller":"hsmdaemon/keymanager.go:205","msg":"openHSMSession","slotID":858597139}
+{"level":"info","ts":"2019-03-20T12:43:40.549+0100","caller":"hsmdaemon/keymanager.go:621","msg":"Fetching private key","keyID":"9bac3719-2b8d-11e9-aeab-0242b5ece4c3"}
+{"level":"debug","ts":"2019-03-20T12:43:40.549+0100","caller":"hsmdaemon/keymanager.go:641","msg":"Got uuid","string":"13d34146-4b02-11e9-adbd-0023ae27c404"}
+WcezVb2N6bF8wlDooKZcmFn3tZgoIpoFGx6wQetx9sp1nK7JW2Y4OKt7P+0VKKlFO7yXaffVDD2Q6jZZCQukQVRV1zJrwbI9xU3YlOAwJFPP+WM/dZ1vdUwi7L05wq8UpL13LJWlMkvd1eIqKJS7apMnFk2hbnxXP6UKZmI++1tXvqbAc6fwhcB5J+JG6lmS4RwnD+eJC3dq5t00zzdI6vuIM/y3UT7ESklmHl5bKl+N+d6yk6qLxnFnIJweL+M3Tf13+XPNAh5JxZpheJPvN3oL28uX76aizy4BCLnRgQ/ryUQeDF+a4zNF22sMwBh4Pt46KrYGNDZAnQpVzmkrZQ==
+----
+
+==== Testing Showing Keys
+
+To show an existing key, use the `showkey` command with the key’s id, as in the following example.
+
+[source,console]
+----
+sudo hsmdaemon showkey 9bac3719-2b8d-11e9-aeab-0242b5ece4c3
+----
+
+////
+==== Testing Data Decryption
+
+TODO.
+
+==== Testing Key Deletion
+
+TODO.
+////
+
+==== [optional] Configure Other Options
+
+For more options see the self-documented default config file `hsmdaemon.toml`.
+
+==== Run in Foreground During Setup
+
+During ownCloud config you might want to run the service in the foreground to see what is going on:
+
+[source,console]
+----
+$ ./hsmdaemon
+{
+    "level": "info",
+    "ts": "2019-02-14T09:32:59.081+0100",
+    "caller": "hsmdaemon/hsmdaemon.go:146",
+    "msg": "Server listening",
+    "host": "localhost",
+    "port": 8513,
+    "version": "0.0.7",
+    "build": "2019-02-08T10:47:55+00:00"
+}
+----
+
+NOTE: The above console output is formatted for readability.
+
+=== ownCloud Setup
+
+==== Shut Down Apache
+
+If anyone accesses ownCloud while encryption is enabled, it will automatically generate the keys. 
+To prevent this, shut down Apache until encryption is appropriately configured.
+
+==== Patch ownCloud
+
+NOTE: The PR for HSM support https://github.com/owncloud/core/pull/34205[is in review].
+
+For now, we assume a fresh ownCloud installation. 
+Patch the encryption app, by following the example below.
+
+[source,console]
+----
+$ cd /path/to/owncloud/installation
+$ patch -p1 < /path/to/hsmdaemon/patch/hsmdaemon.patch
+----
+
+==== Generate a Secret for the hsmdaemon REST API
+
+Generate a shared secret to use for the hsmdaemon.
+
+[source,console]
+----
+$ cat /proc/sys/kernel/random/uuid
+7a7d1826-b514-4d9f-afc7-a7485084e8de
+----
+
+Use this secret for hsmdaemon in `/etc/hsmdaemon/hsmdaemon.toml`
+
+....
+[jwt]
+secret = "7a7d1826-b514-4d9f-afc7-a7485084e8de"
+....
+
+Set the generated secret for ownCloud:
+
+[source,console]
+----
+$ sudo -u www-data ./occ config:app:set \
+    encryption hsm.jwt.secret \
+    --value '7a7d1826-b514-4d9f-afc7-a7485084e8de'
+----
+
+If the command succeeds, you should see the following console output:
+
+[source,console]
+----
+Config value hsm.jwt.secret for app encryption set to 7a7d1826-b514-4d9f-afc7-a7485084e8de
+----
+
+==== Configure HSM-based Encryption
+
+Enable HSM mode and enable encryption by running the commands in the following example.
+
+[source,console]
+----
+$ occ config:app:set encryption hsm.url --value 'http://localhost:8513'
+$ occ app:enable encryption
+$ occ encryption:enable
+----
+
+If the commands are successful, you should see the following console output:
+
+[source,console]
+----
+Config value hsm.url for app encryption set to http://localhost:8513
+
+encryption enabled
+
+Encryption enabled
+
+Default module: OC_DEFAULT_MODULE
+----
+
+If you want to use a single master key run
+
+[source,console]
+----
+$ occ encryption:select-encryption-type masterkey
+----
+
+////
+==== Configure Authorization
+
+TBW.
+////
+
+==== Initialize and Check Generated Keys
+
+Now start Apache, and log in with any user to initialize the keys, have a look at the output of the hsmdaemon to see key generation and decryption requests. 
+Check that the private key `/path/to/data/files_encryption/OC_DEFAULT_MODULE/` is less than *1000 bytes*. 
+If it is not, then something is not configured correctly. 
+You have to wipe all keys and reset the database flags for encryption to get a clean start for the ownCloud setup.
+
+TODO
+
+* Provide occ commands for key initialization and removal. Don’t rely on user login to generate keys.
+
+=== Running as a Daemon on System Startup
+
+==== Install as a Service
+
+After installation, you can register hsmdaemon as a service by running the following command
+
+[source,console]
+----
+$ ./hsmdaemon install
+Install HSM Daemon:                                     [  OK  ]
+----
+
+==== Manage with Service Commands
+
+It should now be running and startup automatically. 
+The daemon is managed using the following three commands:
+
+* `sudo service hsmdaemon start`
+* `sudo service hsmdaemon stop` and 
+* `sudo service hsmdaemon status`.

From 32f823cd3b8d78f61dc7378bf6a3715f9a0c2280 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Mon, 25 Mar 2019 11:59:13 +0100
Subject: [PATCH 02/15] Heavily reworked the hsmdaemon documentation

This change reworks the hsmdaemon documentation to:

- Provide installation instructions on all supported distributions
- Remove duplicate content
- Provide configuration file and binary path information
- Add admonitions to make the content clearer and simpler
- Add in-page navigation lists to make movement more efficient
---
 .../server/security/hsmdaemon.adoc            | 368 +++++++++++-------
 1 file changed, 221 insertions(+), 147 deletions(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index 59b6727ed1..5a01ad48c0 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -1,20 +1,29 @@
 = The HSM Daemon (hsmdaemon)
-:hsm-url: https://en.wikipedia.org/wiki/Hardware_security_module
 :base64-encoding-url: https://en.wikipedia.org/wiki/Base64
+:hsm-url: https://en.wikipedia.org/wiki/Hardware_security_module
+:jwt-url: https://jwt.io/
+:network-sockets-url: https://en.wikipedia.org/wiki/Network_socket
+:go-install-url: https://golang.org/doc/install
+:opensc-wiki-url: https://github.com/OpenSC/OpenSC/wiki
+:opensuse-security-repositories-url: https://download.opensuse.org/repositories/security/
+:php-exec-function-url: https://www.php.net/manual/en/function.exec.php
 :pkcs11-url: https://en.wikipedia.org/wiki/PKCS_11
+:pkcs11-tool-url: https://linux.die.net/man/1/pkcs11-tool 
+:softhsm2-url: https://www.opendnssec.org/softhsm/
+:unix-sockets-url: http://beej.us/guide/bgipc/html/multi/unixsock.html
 
 The hsmdaemon is a daemon to delegate encryption to an {hsm-url}[HSM (Hardware Security Module)].
 It can be necessary, as PHP cannot directly interface with {pkcs11-url}[a PKCS11 stack]; neither by an API wrapper, because one does not exist, yet, nor via the OpenSSL bindings
 Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM. 
 
-Running exec() to decrypt the key with a command line command to do the encryption might leak the HSM credentials if the admin lists the currently running processes. 
+Running {php-exec-function-url}[exec()] to decrypt the key with a command line command to do the encryption might leak the HSM credentials if the admin lists the currently running processes. 
 To prevent that an "HSM" daemon will be used that can open a session to the HSM upon startup. 
+
 This daemon will be used by ownCloud to decrypt the current master key upon request. 
-The communication will happen via UNIX or TCP sockets and is authorized by a shared token that the daemon stores in the ownCloud database via a REST/JSON route.
+The communication happens via {unix-sockets-url}[UNIX sockets] or {network-sockets-url}[TCP sockets] and is authorized by a shared token that the daemon stores in the ownCloud database via a REST/JSON route.
 
 ownCloud internally uses OpenSSL to en-/decrypt keys and needs to be extended to support en-/decrypt operations via the new daemon. 
 The current solution would be to encrypt the current ownCloud master key with a key from the HSM. 
-Doing so only requires patching `KeyManagers` `getMasterKeyPassword()` and `getSystemPrivateKey()` methods to decrypt the key read from disk.
 
 == How The HSM Daemon Interacts with ownCloud
 
@@ -28,52 +37,128 @@ After connecting with the HSM daemon, an unsophisticated, line-based, protocol i
 
 Doing so ensures that an evil admin will need to wiretap the communication between either the database or the HSM daemon and ownCloud.
 
+== Quick Overview
+
+HSM support consists of two core parts:
+
+. An actual HSM PKCS11 module.
+. An hsmdaemon that provides a {jwt-url}[JWT]-protected web API for the PKCS11 stack to generate key pairs and decrypt data.
+
+== Deployment Recommendation
+
+We recommend running hsmdaemon on every Apache server to reduce latency. 
+
 == Installation
 
-=== Overview
+Integrating the hsmdaemon with ownCloud requires X steps; these are:
 
-HSM support consists of three main parts: 
+. xref:install-a-pkcs11-module[Install a PKCS11 Module]
+. xref:install-and-configure-the-hsmdaemon[Install and Configure the hsmdaemon]
+. xref:configure-owncloud[Configure ownCloud]
+. xref:install-the-hsmdaemon-as-a-system-service[Install the hsmdaemon as a System Service]
 
-. An actual HSM PKCS11 module 
-. The hsmdaemon that provides a JWT protected web API for the PKCS11 stack to generate key pairs and decrypt data 
-. A patch to the ownCloud encryption app
+[NOTE]
+====
+The installation instructions in this guide have been designed to work with xref:installation/system_requirements.adoc#server[ownCloud's supported operating systems].
+If you are using a different operating system or distribution, please adjust the instructions to suit your environment.
+====
 
-All commands are assumed to be executed as root unless stated otherwise.
+=== Install a PKCS11 Module
 
-=== Deployment and Resource Usage
+==== Install Using a Preconfigured PKCS11 Module
 
-We recommend running hsmdaemon on every Apache server to reduce latency. 
-The daemon uses few resources:
+At least one PKCS11 library is necessary, which is typically provided by an HSM vendor. 
+
+TIP: If none is available, you can follow the steps below to install a software HSM.
+
+==== Install SoftHSM2 (optional)
+
+If you do not have an HSM-provided PKCS11 library, then you can use {softhsm2-url}[SoftHSM2] instead.
+To do so, follow the instructions for you Linux distribution below.
+
+* xref:install-softhsm2-debian-ubuntu[Debian and Ubuntu]
+* xref:install-softhsm2-opensuse-suse-linux-enterprise-server[openSUSE and SUSE Linux Enterprise Server]
+* xref:install-softhsm2-fedora-red-hat-enterprise-linux-centos[Fedora and Red Hat Enterprise Linux and Centos]
+
+NOTE: Installing these two packages also installs `/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so`, which is a module that we will need later, for interaction with the PKCS11 API.
+
+[[install-softhsm2-debian-ubuntu]]
+===== Install on Debian and Ubuntu
+
+To install SoftHSM2 on either Debian or Ubuntu, run the command below.
+
+[source,console]
+----
+sudo apt-get update
+sudo apt-get install -y softhsm2 libsofthsm2
+----
+
+[[install-softhsm2-opensuse-suse-linux-enterprise-server]]
+===== Install on openSUSE and SUSE Linux Enterprise Server
+
+To install SoftHSM2, you first have to ensure that you have {opensuse-security-repositories-url}[the official security repository] for your server enabled in your server's repositories list. 
+To check if it is, run the command `zypper lr`, which will show you output similar to the following:
 
 [source,console]
 ----
-$ ps aux --sort -rss | head -1
-USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
-$ ps aux --sort -rss | grep hsm | grep -v grep
-root     19568  0.0  0.0 231052  2608 ?        Ssl  Feb08   0:00 /home/jfd/Repositories/hsmdaemon/hsmdaemon
+#  | Alias                     | Name                                    | Enabled | GPG Check | Refresh
+---+---------------------------+-----------------------------------------+---------+-----------+--------
+ 1 | repo-debug                | openSUSE-Leap-15.0-Debug                | No      | ----      | ----   
+ 2 | repo-debug-non-oss        | openSUSE-Leap-15.0-Debug-Non-Oss        | No      | ----      | ----   
+ 3 | repo-debug-update         | openSUSE-Leap-15.0-Update-Debug         | No      | ----      | ----   
+ 4 | repo-debug-update-non-oss | openSUSE-Leap-15.0-Update-Debug-Non-Oss | No      | ----      | ----   
+ 5 | repo-non-oss              | openSUSE-Leap-15.0-Non-Oss              | Yes     | (r ) Yes  | Yes    
+ 6 | repo-oss                  | openSUSE-Leap-15.0-Oss                  | Yes     | (r ) Yes  | Yes    
+ 7 | repo-security             | openSUSE-Leap-15.0-Security             | Yes     | (r ) Yes  | Yes    
+ 8 | repo-source               | openSUSE-Leap-15.0-Source               | No      | ----      | ----   
+ 9 | repo-source-non-oss       | openSUSE-Leap-15.0-Source-Non-Oss       | No      | ----      | ----   
+10 | repo-update               | openSUSE-Leap-15.0-Update               | Yes     | (r ) Yes  | Yes    
+11 | repo-update-non-oss       | openSUSE-Leap-15.0-Update-Non-Oss       | Yes     | (r ) Yes  | Yes 
 ----
 
-=== Installing a PKCS11 Module
+TIP: use the `-d` flag to show the URI for each repository as well.
+
+If there is no security repository available, then add it using the following command:
 
-==== Using a Preconfigured PKCS11 Module
+[source,console]
+----
+# Replace <security-repository> with the URL for your distribution and architecture.
+sudo zypper addrepo \
+  --check \
+  --refresh \
+  --name "openSUSE-Leap-15.0-Security" \
+  <security-repository> \
+  "repo-security"
+----
 
-At least one PKCS11 library is necessary. Ask the customer for the path to a fully configured PKCS11 module. 
-The HSM vendor typically provides the PKCS11 module, e.g., `/opt/nfast/toolkits/pkcs11/libcknfast.so` for Thales nShield.
+With the repository enabled, install SoftHSM2 by running the following command:
 
-If none is available, you can follow the below optional steps to install a software HSM.
+[source,console]
+----
+sudo zypper install -y --auto-agree-with-licenses softhsm
+----
 
-==== [optional] Installing SoftHSM 2
+[[install-softhsm2-fedora-red-hat-enterprise-linux-centos]]
+===== Install on Fedora and Red Hat Enterprise Linux and Centos 
 
-On Debian, two packages are available: `softhsm` and `softhsm2`. 
-Install `softhsm2` with
+To install SoftHSM2 on Fedora and Red Hat Enterprise Linux and Centos, run the command below.
 
 [source,console]
 ----
-apt install softhsm2
+sudo yum install --assumeyes softhsm
 ----
 
-Installing them also installs `/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so`, which is a module that we will need later, for interaction with the PKCS11 API.
-The Debian location of the config file is `/etc/softhsm/softhsm2.conf`:
+===== Check the Configuration File
+
+Once SoftHSM2 is installed, check that the directory specified by `directories.tokendir` in SoftHSM2's configuration file exists.
+
+[options="headers",cols="3"]
+|===
+|Distribution |Configuration File Location |Tokens Directory
+|Debian and Ubuntu |`/etc/softhsm/softhsm2.conf` .3+|`/var/lib/softhsm/tokens/`
+|openSUSE and SUSE Linux Enterprise Server |`/etc/softhsm2.conf`
+|Fedora and Red Hat Enterprise Linux and Centos |`/etc/softhsm2.conf`
+|===
 
 [source,ini]
 ....
@@ -86,7 +171,8 @@ objectstore.backend = file
 log.level = INFO
 ....
 
-Make sure the `directories.tokendir` exists.
+==== Initialise the Token
+
 Now we can initialize the token:
 
 [source,console]
@@ -94,51 +180,94 @@ Now we can initialize the token:
 softhsm2-util --init-token --slot 0 --label "My token 1"
 ----
 
-It will ask for two PINs, a user and SO pin.
+It will ask for two PINs, an SO and a User pin.
 See https://www.opendnssec.org/softhsm/, for more information.
 
-==== [optional] Installing PKCS11 CLI tools
+==== Install PKCS11 CLI tools (optional)
+
+To use the PKCS11 API on the CLI, we need to install {opensc-wiki-url}[OpenSC]. 
+
+* xref:initialise-opensc-debian-ubuntu[Debian and Ubuntu]
+* xref:initialise-opensc-opensuse-suse-linux-enterprise-server[openSUSE and SUSE Linux Enterprise Server]
+* xref:initialise-opensc-fedora-red-hat-enterprise-linux-centos[Fedora and Red Hat Enterprise Linux and Centos]
+
+[[install-opensc-debian-ubuntu]]
+===== Initialise on Debian and Ubuntu
+
+To install OpenSC on Debian and Ubuntu, run the following command:
+
+[source,console]
+----
+sudo apt install -y opensc
+----
+
+[[install-opensc-opensuse-suse-linux-enterprise-server]]
+===== Initialise on openSUSE and SUSE Linux Enterprise Server
+
+To install OpenSC on openSUSE and SUSE Linux Enterprise Server, run the following command:
+
+[source,console]
+----
+sudo sudo zypper install -y --auto-agree-with-licenses opensc
+----
+
+[[install-opensc-fedora-red-hat-enterprise-linux-centos]]
+===== Initialise on Fedora and Red Hat Enterprise Linux and Centos 
 
-To use the PKCS11 API on the CLI, we install `opensc` with:
+To install OpenSC on Fedora and Red Hat Enterprise Linux and Centos, run the following command:
 
 [source,console]
 ----
-apt install opensc
+sudo yum install --assumeyes opensc
 ----
 
-Now we can list the tokens with
+==== List Tokens
+
+You can list the available tokens using {pkcs11-tool-url}[pkcs11-tool], by running the following command.
 
 [source,console]
 ----
-pkcs11-tool --module /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so -l --pin 1234 -O
+sudo pkcs11-tool --module </path/to/libsofthsm2.so> -l --pin <user-pin> -O
 ----
 
-The module parameter is the library provided by the HSM vendor; in this case, it was installed with SoftHSM 2.
-See https://github.com/OpenSC/OpenSC/wiki for more information.
+===== The Module Parameter
+
+The module parameter is either the library provided by the HSM vendor, or `libsofthsm2` which was installed with SoftHSM 2.
+If you are using `libsofthsm2`, the path to `libsofthsm2.so` for each of the supported distributions is available below.
+
+[options="headers",cols="2"]
+|===
+|Distribution |Path
+|Debian and Ubuntu |`/usr/lib/softhsm/libsofthsm2.so`
+|openSUSE and SUSE Linux Enterprise Server |`/usr/lib64/pkcs11/libsofthsm2.so`
+|Fedora and Red Hat Enterprise Linux and Centos |`/usr/lib64/pkcs11/libsofthsm2.so`
+|===
+
+TIP: See the {opensc-wiki-url}[OpenSC Wiki] for more information.
 
-=== Installing the hsmdaemon
+== Install and Configure the hsmdaemon
 
 Installing hsmdaemon requires several steps. 
 These are:
 
-. xref:install-the-binary[Install the Binary]
-. xref:install-the-system-service[Install the System Service]
+. xref:install-the-hsmdaemon-binary[Install the hsmdaemon Binary]
 . xref:copy-the-config-file[Copy the Config File]
+. xref:install-the-system-service[Install the System Service]
 . xref:configure-the-pkcs11-module-path[Configure the PKCS 11 Module Path]
 . xref:configure-slot-and-pin[Configure Slot and Pin]
 . xref:test-key-generation[Test Key Generation]
 . xref:configure-other-options[Configure Other Options]
-. xref:owncloud-setup[ownCloud Setup]
 
-==== Install the Binary
+=== Install the hsmdaemon Binary
 
-To install the hsmdaemon, you first need to install the package’s dependencies, stored in `go.mod`. To install them, run `go get`. 
-The command should not show any console output and take no more than a few minutes.
+After you've obtained the hsmdaemon from ownCloud, you need to:
 
-Once the package dependencies are installed, you next need to compile hsmdaemon. 
-To do this, use the command: `make install`, which creates the hsmdaemon binary in the `bin` directory of your `$GOPATH`, naming it `hsmdaemon`.
-After compilation, you need to make the file executable and move it to a directory located in your system path.
+. Move the hsmdaemon binary to a directory located in your system path.
+. Make the hsmdaemon binary Executable
+. xref:copy-the-config-file[Copy the Config File] 
 
+[TIP]
+====
 If you are not sure which directories are in your system path, run the following script to see a complete list:
 
 [source,console]
@@ -159,26 +288,24 @@ You should see a list similar to the following:
 /sbin
 /bin
 ----
+====
 
-===== Installation Example
+==== Copy the Config File
 
-To save time, copy and paste the commands below to compile the hsmdaemon.
+The default location that hsmdaemon looks for its config file is `/etc/hsmdaemon/hsmdaemon.toml`. 
+To create it from the example config file available in provided package, run the following commands.
 
 [source,console]
 ----
-# Install hsmdaemon's dependencies
-go get
-
-# Compile hsmdaemon
-make install
-
-# Make the file executable
-chmod +x hsmdaemon
+$ mkdir /etc/hsmdaemon                              # Create the hsmdaemon configuration directory
+$ cp hsmdaemon.toml /etc/hsmdaemon/hsmdaemon.toml   # Copy the example config file
+$ chown root /etc/hsmdaemon/hsmdaemon.toml          # Set the owner of the file to root
+$ chmod 750 /etc/hsmdaemon/hsmdaemon.toml           # Allow only the root and users in the root group to read & write the configuration file
 ----
 
 ==== Install the System Service
 
-Now that the binary is available, hsmdaemon must be installed as a system service. 
+Now that the binary is available and the configuration file is in place, hsmdaemon must be installed as a system service. 
 To do this, run it with the `install` option, as in the example below.
 
 [source,console]
@@ -192,27 +319,16 @@ If it installs successfully, then you should see the following console output:
 Install HSM Daemon:                                     [  OK  ]
 ....
 
-==== Copy the Config File
+It should now be running and set to start automatically at boot time. 
 
-Now that the hsmdaemon is ready, its config file needs to be prepared. 
-The default location that hsmdaemon looks for its config file is `/etc/hsmdaemon/hsmdaemon.toml`. 
-To create it from the example config file available in the cloned repository, run the following commands.
-
-[source,console]
-----
-$ mkdir /etc/hsmdaemon                              # Create the hsmdaemon configuration directory
-$ cp hsmdaemon.toml /etc/hsmdaemon/hsmdaemon.toml   # Copy the example config file
-$ chown root /etc/hsmdaemon/hsmdaemon.toml          # Set the owner of the file to root
-$ chmod 750 /etc/hsmdaemon/hsmdaemon.toml           # Allow only the root and users in the root group to read & write the configuration file
-----
-
-Have a look at the options of the executable:
+[TIP]
+====
+The daemon is managed using the following three commands:
 
-[source,console]
-----
-$ hsmdaemon help
-Usage: hsmdaemon install | remove | start | stop | status | listslots | genkey <label> | showkey <id> | parsekey | encrypt <id> <base64> | version
-----
+* `sudo service hsmdaemon start`
+* `sudo service hsmdaemon stop` and 
+* `sudo service hsmdaemon status`.
+====
 
 ==== Configure the PKCS11 Module Path
 
@@ -268,32 +384,11 @@ Slot: 1989683358,
         Manufacturer ID:  SoftHSM project
         Hardware version: 2.2
         Firmware version: 2.2
-        Token present:    yes
-        Flags:
-    Token info:
-        Manufacturer ID:    SoftHSM project
-        Model:              SoftHSM v2
-        Hardware version:   2.2
-        Firmware version:   2.2
-        Serial number:      a7b6bdaf7698289e
-        Initialized:        yes
-        User PIN init.:     yes
-        Label:              SoftHSM token for oc
-        MaxSessionCount:    0
-        SessionCount:       18446744073709551615
-        MaxRwSessionCount:  0
-        RwSessionCount:     18446744073709551615
-        MaxPinLen:          255
-        MinPinLen:          4
-        TotalPublicMemory:  18446744073709551615
-        FreePublicMemory:   18446744073709551615
-        TotalPrivateMemory: 18446744073709551615
-        FreePrivateMemory:  18446744073709551615
-        UTCTime:            2019021408270200
-        Flags: CKF_RNG CKF_LOGIN_REQUIRED CKF_RESTORE_KEY_NOT_NEEDED
 ----
 
-==== Configure Slot and Pin
+TIP: See the {opensc-wiki-url}[OpenSC Wiki] for more information.
+
+==== Configure the Slot and Pin
 
 Ask the customer which slot to use and if a PIN is needed. 
 Update `/etc/hsmdaemon/hsmdaemon.toml` with the information that the customer provides, in the `pkcs11` section, as in the example below.
@@ -307,7 +402,11 @@ slot = 1989683358     # Find your slot id with `sudo hsmdaemon listslots`
 
 ==== Test Key Generation
 
-*Note:* If no PIN is supplied, generating a new key might be protected by an operator card that has to be inserted in the HSM. In this case, coordinate testing and final master key generation with the customers HSM team.
+[NOTE] 
+====
+If no PIN is supplied, generating a new key might be protected by an operator card that has to be inserted in the HSM. 
+In this case, coordinate testing and final master key generation with your HSM team.
+====
 
 For testing key generation, run the command `hsmdaemon genkey test`, as in the following example.
 
@@ -326,7 +425,7 @@ jwIDAQAB
 -----END PUBLIC KEY-----
 ----
 
-==== Testing Data Encryption
+==== Test Data Encryption
 
 For testing data encryption, run the `hsmdaemon encrypt` command, as in the following example.
 
@@ -347,9 +446,9 @@ If successful, you should see output similar to the below example.
 WcezVb2N6bF8wlDooKZcmFn3tZgoIpoFGx6wQetx9sp1nK7JW2Y4OKt7P+0VKKlFO7yXaffVDD2Q6jZZCQukQVRV1zJrwbI9xU3YlOAwJFPP+WM/dZ1vdUwi7L05wq8UpL13LJWlMkvd1eIqKJS7apMnFk2hbnxXP6UKZmI++1tXvqbAc6fwhcB5J+JG6lmS4RwnD+eJC3dq5t00zzdI6vuIM/y3UT7ESklmHl5bKl+N+d6yk6qLxnFnIJweL+M3Tf13+XPNAh5JxZpheJPvN3oL28uX76aizy4BCLnRgQ/ryUQeDF+a4zNF22sMwBh4Pt46KrYGNDZAnQpVzmkrZQ==
 ----
 
-==== Testing Showing Keys
+==== Test Showing Keys
 
-To show an existing key, use the `showkey` command with the key’s id, as in the following example.
+To show an existing key, use the `showkey` command with the key's id, as in the following example.
 
 [source,console]
 ----
@@ -366,13 +465,14 @@ TODO.
 TODO.
 ////
 
-==== [optional] Configure Other Options
+==== Configure Other Options (optional)
 
 For more options see the self-documented default config file `hsmdaemon.toml`.
 
-==== Run in Foreground During Setup
-
-During ownCloud config you might want to run the service in the foreground to see what is going on:
+[TIP]
+====
+During ownCloud config you might want to run the hsmdaemon service in the foreground to see what is going on.
+You can do so, using the following command (which also shows example console output, formatted for readability).
 
 [source,console]
 ----
@@ -388,28 +488,21 @@ $ ./hsmdaemon
     "build": "2019-02-08T10:47:55+00:00"
 }
 ----
+====
 
-NOTE: The above console output is formatted for readability.
-
-=== ownCloud Setup
-
-==== Shut Down Apache
+=== Configure ownCloud
 
+[TIP]
+====
 If anyone accesses ownCloud while encryption is enabled, it will automatically generate the keys. 
 To prevent this, shut down Apache until encryption is appropriately configured.
+====
 
-==== Patch ownCloud
+To configure ownCloud to work with the hsmdaemon requires the following steps:
 
-NOTE: The PR for HSM support https://github.com/owncloud/core/pull/34205[is in review].
-
-For now, we assume a fresh ownCloud installation. 
-Patch the encryption app, by following the example below.
-
-[source,console]
-----
-$ cd /path/to/owncloud/installation
-$ patch -p1 < /path/to/hsmdaemon/patch/hsmdaemon.patch
-----
+* xref:generate-a-secret-for-the-hsmdaemon-rest-api[Generate a Secret for the hsmdaemon REST API]
+* xref:configure-hsm-based-encryption[Configure HSM-based Encryption]
+* xref:initialize-and-check-generated-keys[Initialize and Check Generated Keys]
 
 ==== Generate a Secret for the hsmdaemon REST API
 
@@ -488,27 +581,8 @@ Check that the private key `/path/to/data/files_encryption/OC_DEFAULT_MODULE/` i
 If it is not, then something is not configured correctly. 
 You have to wipe all keys and reset the database flags for encryption to get a clean start for the ownCloud setup.
 
+////
 TODO
 
-* Provide occ commands for key initialization and removal. Don’t rely on user login to generate keys.
-
-=== Running as a Daemon on System Startup
-
-==== Install as a Service
-
-After installation, you can register hsmdaemon as a service by running the following command
-
-[source,console]
-----
-$ ./hsmdaemon install
-Install HSM Daemon:                                     [  OK  ]
-----
-
-==== Manage with Service Commands
-
-It should now be running and startup automatically. 
-The daemon is managed using the following three commands:
-
-* `sudo service hsmdaemon start`
-* `sudo service hsmdaemon stop` and 
-* `sudo service hsmdaemon status`.
+* Provide occ commands for key initialization and removal. Don't rely on user login to generate keys.
+////

From afad6f6278defeb1744447206e6a753d46c07780 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Wed, 27 Mar 2019 21:39:46 +0100
Subject: [PATCH 03/15] Update the documentation based on further feedback

---
 modules/admin_manual/nav.adoc                 |  2 +-
 .../server/security/hsmdaemon.adoc            | 44 +++++++++----------
 2 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/modules/admin_manual/nav.adoc b/modules/admin_manual/nav.adoc
index 48956eecea..148307643f 100644
--- a/modules/admin_manual/nav.adoc
+++ b/modules/admin_manual/nav.adoc
@@ -64,7 +64,7 @@
 **** Security
 ***** xref:configuration/server/security/password_policy.adoc[Password policy]
 ***** xref:configuration/server/security/oauth2.adoc[OAuth2]
-***** xref:configuration/server/security/hsmdaemon.adoc[The HSM Daemon]
+***** xref:configuration/server/security/hsmdaemon.adoc[The HSM (Hardware Security Module) Daemon]
 **** xref:configuration/server/activity_configuration.adoc[Activity Configuration]
 **** xref:configuration/server/antivirus_configuration.adoc[Antivirus Configuration]
 **** xref:configuration/server/automatic_configuration.adoc[Automatic Configuration]
diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index 5a01ad48c0..7e33243130 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -1,9 +1,8 @@
-= The HSM Daemon (hsmdaemon)
+= The HSM (Hardware Security Module) Daemon (hsmdaemon)
 :base64-encoding-url: https://en.wikipedia.org/wiki/Base64
 :hsm-url: https://en.wikipedia.org/wiki/Hardware_security_module
 :jwt-url: https://jwt.io/
 :network-sockets-url: https://en.wikipedia.org/wiki/Network_socket
-:go-install-url: https://golang.org/doc/install
 :opensc-wiki-url: https://github.com/OpenSC/OpenSC/wiki
 :opensuse-security-repositories-url: https://download.opensuse.org/repositories/security/
 :php-exec-function-url: https://www.php.net/manual/en/function.exec.php
@@ -46,11 +45,11 @@ HSM support consists of two core parts:
 
 == Deployment Recommendation
 
-We recommend running hsmdaemon on every Apache server to reduce latency. 
+We recommend running hsmdaemon on every web server to reduce latency. 
 
 == Installation
 
-Integrating the hsmdaemon with ownCloud requires X steps; these are:
+Integrating the hsmdaemon with ownCloud requires 4 steps; these are:
 
 . xref:install-a-pkcs11-module[Install a PKCS11 Module]
 . xref:install-and-configure-the-hsmdaemon[Install and Configure the hsmdaemon]
@@ -297,10 +296,10 @@ To create it from the example config file available in provided package, run the
 
 [source,console]
 ----
-$ mkdir /etc/hsmdaemon                              # Create the hsmdaemon configuration directory
-$ cp hsmdaemon.toml /etc/hsmdaemon/hsmdaemon.toml   # Copy the example config file
-$ chown root /etc/hsmdaemon/hsmdaemon.toml          # Set the owner of the file to root
-$ chmod 750 /etc/hsmdaemon/hsmdaemon.toml           # Allow only the root and users in the root group to read & write the configuration file
+mkdir /etc/hsmdaemon                              # Create the hsmdaemon configuration directory
+cp hsmdaemon.toml /etc/hsmdaemon/hsmdaemon.toml   # Copy the example config file
+chown root /etc/hsmdaemon/hsmdaemon.toml          # Set the owner of the file to root
+chmod 750 /etc/hsmdaemon/hsmdaemon.toml           # Allow only the root and users in the root group to read & write the configuration file
 ----
 
 ==== Install the System Service
@@ -310,7 +309,7 @@ To do this, run it with the `install` option, as in the example below.
 
 [source,console]
 ----
-$ ./hsmdaemon install
+./hsmdaemon install
 ----
 
 If it installs successfully, then you should see the following console output:
@@ -345,7 +344,7 @@ This command lists the available slots.
 
 [source,console]
 ----
-$ hsmdaemon listslots
+hsmdaemon listslots
 {"level":"debug","ts":"2019-02-14T09:27:02.068+0100","caller":"hsmdaemon/keymanager.go:27","msg":"initialize pkcs11 module","module":"/usr/lib/softhsm/libsofthsm2.so"}
 {"level":"info","ts":"2019-02-14T09:27:02.087+0100","caller":"hsmdaemon/keymanager.go:65","msg":"Slots found","slotIds":[550099622,1989683358,2]}
 Available slots:
@@ -412,7 +411,7 @@ For testing key generation, run the command `hsmdaemon genkey test`, as in the f
 
 [source,console]
 ----
-$ hsmdaemon genkey test
+hsmdaemon genkey test
 Id: 9bac3719-2b8d-11e9-aeab-0242b5ece4c3, label: test
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl1BO4vsI+xDk+x0nccl7
@@ -431,8 +430,9 @@ For testing data encryption, run the `hsmdaemon encrypt` command, as in the foll
 
 [source,console]
 ----
-The first argument is the "Id:" value from running the genkey command above.
-$ sudo hsmdaemon encrypt 9bac3719-2b8d-11e9-aeab-0242b5ece4c3 Zm9vYmFy
+# The first argument is the "Id:" value from running the genkey command above.
+# The second is the base64-encoded data to be encrypted.
+sudo hsmdaemon encrypt 9bac3719-2b8d-11e9-aeab-0242b5ece4c3 Zm9vYmFy
 ----
 
 If successful, you should see output similar to the below example.
@@ -476,7 +476,7 @@ You can do so, using the following command (which also shows example console out
 
 [source,console]
 ----
-$ ./hsmdaemon
+./hsmdaemon
 {
     "level": "info",
     "ts": "2019-02-14T09:32:59.081+0100",
@@ -495,7 +495,7 @@ $ ./hsmdaemon
 [TIP]
 ====
 If anyone accesses ownCloud while encryption is enabled, it will automatically generate the keys. 
-To prevent this, shut down Apache until encryption is appropriately configured.
+To prevent this, shut down the web server until encryption is appropriately configured.
 ====
 
 To configure ownCloud to work with the hsmdaemon requires the following steps:
@@ -510,7 +510,7 @@ Generate a shared secret to use for the hsmdaemon.
 
 [source,console]
 ----
-$ cat /proc/sys/kernel/random/uuid
+cat /proc/sys/kernel/random/uuid
 7a7d1826-b514-4d9f-afc7-a7485084e8de
 ----
 
@@ -525,7 +525,7 @@ Set the generated secret for ownCloud:
 
 [source,console]
 ----
-$ sudo -u www-data ./occ config:app:set \
+sudo -u www-data ./occ config:app:set \
     encryption hsm.jwt.secret \
     --value '7a7d1826-b514-4d9f-afc7-a7485084e8de'
 ----
@@ -543,9 +543,9 @@ Enable HSM mode and enable encryption by running the commands in the following e
 
 [source,console]
 ----
-$ occ config:app:set encryption hsm.url --value 'http://localhost:8513'
-$ occ app:enable encryption
-$ occ encryption:enable
+occ config:app:set encryption hsm.url --value 'http://localhost:8513'
+occ app:enable encryption
+occ encryption:enable
 ----
 
 If the commands are successful, you should see the following console output:
@@ -565,7 +565,7 @@ If you want to use a single master key run
 
 [source,console]
 ----
-$ occ encryption:select-encryption-type masterkey
+occ encryption:select-encryption-type masterkey
 ----
 
 ////
@@ -576,7 +576,7 @@ TBW.
 
 ==== Initialize and Check Generated Keys
 
-Now start Apache, and log in with any user to initialize the keys, have a look at the output of the hsmdaemon to see key generation and decryption requests. 
+Now start your web server, and log in with any user to initialize the keys, have a look at the output of the hsmdaemon to see key generation and decryption requests. 
 Check that the private key `/path/to/data/files_encryption/OC_DEFAULT_MODULE/` is less than *1000 bytes*. 
 If it is not, then something is not configured correctly. 
 You have to wipe all keys and reset the database flags for encryption to get a clean start for the ownCloud setup.

From e33e2eb64d489806bbdc0f93e5faf5be34362607 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Mon, 1 Apr 2019 10:12:01 +0200
Subject: [PATCH 04/15] Add further details after feedback from Sujith

---
 .../pages/configuration/server/security/hsmdaemon.adoc      | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index 7e33243130..e6780ab85e 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -22,7 +22,11 @@ This daemon will be used by ownCloud to decrypt the current master key upon requ
 The communication happens via {unix-sockets-url}[UNIX sockets] or {network-sockets-url}[TCP sockets] and is authorized by a shared token that the daemon stores in the ownCloud database via a REST/JSON route.
 
 ownCloud internally uses OpenSSL to en-/decrypt keys and needs to be extended to support en-/decrypt operations via the new daemon. 
-The current solution would be to encrypt the current ownCloud master key with a key from the HSM. 
+The current solution encrypts the ownCloud master key with a key from the HSM. 
+
+NOTE: From the technical point of view the `Crypt` class is extended to handle the key generation in the HSM device and also to get the key from HSM. 
+For the read/write operation on a file, the request goes to the HSM and then, based on the keys fetched from HSM, the files are encrypted or decrypted. 
+The keys are not replaced.
 
 == How The HSM Daemon Interacts with ownCloud
 

From d1a317f01c773b114cbce451f5908a9aebd37d89 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Wed, 3 Apr 2019 08:43:30 +0200
Subject: [PATCH 05/15] Add meta keywords and description to aid in SEO
 discoverability

---
 .../pages/configuration/server/security/hsmdaemon.adoc          | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index e6780ab85e..fd95afaa0f 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -1,4 +1,6 @@
 = The HSM (Hardware Security Module) Daemon (hsmdaemon)
+:description: Learn how to install ownCloud’s custom HSM (Hardware Security Module) and configure ownCloud to delegate encryption to it.
+:keywords: hsmdaemon, hardware security module, security, pkcs11, softhsm2
 :base64-encoding-url: https://en.wikipedia.org/wiki/Base64
 :hsm-url: https://en.wikipedia.org/wiki/Hardware_security_module
 :jwt-url: https://jwt.io/

From 1d3b0c54ce8592f5f06d8dd66bf3e20f7f510d34 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Wed, 3 Apr 2019 08:44:32 +0200
Subject: [PATCH 06/15] Fix headers so that they're at the proper levels

---
 .../pages/configuration/server/security/hsmdaemon.adoc    | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index fd95afaa0f..5a8f211044 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -250,7 +250,7 @@ If you are using `libsofthsm2`, the path to `libsofthsm2.so` for each of the sup
 
 TIP: See the {opensc-wiki-url}[OpenSC Wiki] for more information.
 
-== Install and Configure the hsmdaemon
+=== Install and Configure the hsmdaemon
 
 Installing hsmdaemon requires several steps. 
 These are:
@@ -263,7 +263,7 @@ These are:
 . xref:test-key-generation[Test Key Generation]
 . xref:configure-other-options[Configure Other Options]
 
-=== Install the hsmdaemon Binary
+==== Install the hsmdaemon Binary
 
 After you've obtained the hsmdaemon from ownCloud, you need to:
 
@@ -405,6 +405,8 @@ pin = "1234"          # The user pin supplied when running softhsm2-util --init-
 slot = 1989683358     # Find your slot id with `sudo hsmdaemon listslots`
 ....
 
+=== Testing
+
 ==== Test Key Generation
 
 [NOTE] 
@@ -471,7 +473,7 @@ TODO.
 TODO.
 ////
 
-==== Configure Other Options (optional)
+=== Configure Other Options (optional)
 
 For more options see the self-documented default config file `hsmdaemon.toml`.
 

From a3140b45f115c4f614caa7626a2e71159705c2eb Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Wed, 3 Apr 2019 08:45:52 +0200
Subject: [PATCH 07/15] Remove unnecessary link to installing the hsmdaemon as
 a system service

As installing the hsmdaemon as a system service is part of the process
of installing and configuring the hsmdaemon, then it (to me at least)
doesn't make sense to call specific attention to this section.
---
 .../pages/configuration/server/security/hsmdaemon.adoc         | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index 5a8f211044..d9c4a02bdc 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -55,12 +55,11 @@ We recommend running hsmdaemon on every web server to reduce latency.
 
 == Installation
 
-Integrating the hsmdaemon with ownCloud requires 4 steps; these are:
+Integrating the hsmdaemon with ownCloud requires 3 steps; these are:
 
 . xref:install-a-pkcs11-module[Install a PKCS11 Module]
 . xref:install-and-configure-the-hsmdaemon[Install and Configure the hsmdaemon]
 . xref:configure-owncloud[Configure ownCloud]
-. xref:install-the-hsmdaemon-as-a-system-service[Install the hsmdaemon as a System Service]
 
 [NOTE]
 ====

From 7f4e90428df4ac06ede167f80f5851de5f0afec8 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Wed, 3 Apr 2019 08:49:32 +0200
Subject: [PATCH 08/15] Minor text updates for readability

---
 .../pages/configuration/server/security/hsmdaemon.adoc          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index d9c4a02bdc..d2399a8222 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -18,7 +18,7 @@ It can be necessary, as PHP cannot directly interface with {pkcs11-url}[a PKCS11
 Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM. 
 
 Running {php-exec-function-url}[exec()] to decrypt the key with a command line command to do the encryption might leak the HSM credentials if the admin lists the currently running processes. 
-To prevent that an "HSM" daemon will be used that can open a session to the HSM upon startup. 
+To prevent that, an HSM daemon will be used that can open a session to the HSM upon startup. 
 
 This daemon will be used by ownCloud to decrypt the current master key upon request. 
 The communication happens via {unix-sockets-url}[UNIX sockets] or {network-sockets-url}[TCP sockets] and is authorized by a shared token that the daemon stores in the ownCloud database via a REST/JSON route.

From 2d45773bea37642933dd1e9f6c71f01a1c8a3f46 Mon Sep 17 00:00:00 2001
From: mmattel <martin.mattel@diemattels.at>
Date: Wed, 3 Apr 2019 11:53:11 +0200
Subject: [PATCH 09/15] added toc

---
 .../pages/configuration/server/security/hsmdaemon.adoc         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index d2399a8222..ca328cedc1 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -1,4 +1,5 @@
 = The HSM (Hardware Security Module) Daemon (hsmdaemon)
+:toc:
 :description: Learn how to install ownCloud’s custom HSM (Hardware Security Module) and configure ownCloud to delegate encryption to it.
 :keywords: hsmdaemon, hardware security module, security, pkcs11, softhsm2
 :base64-encoding-url: https://en.wikipedia.org/wiki/Base64
@@ -13,6 +14,8 @@
 :softhsm2-url: https://www.opendnssec.org/softhsm/
 :unix-sockets-url: http://beej.us/guide/bgipc/html/multi/unixsock.html
 
+== Introduction
+
 The hsmdaemon is a daemon to delegate encryption to an {hsm-url}[HSM (Hardware Security Module)].
 It can be necessary, as PHP cannot directly interface with {pkcs11-url}[a PKCS11 stack]; neither by an API wrapper, because one does not exist, yet, nor via the OpenSSL bindings
 Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM. 

From d5f5541dc417fd47cfd192b6f7e623ab5e178252 Mon Sep 17 00:00:00 2001
From: mmattel <martin.mattel@diemattels.at>
Date: Thu, 4 Apr 2019 22:17:05 +0200
Subject: [PATCH 10/15] changed to toc right

---
 .../pages/configuration/server/security/hsmdaemon.adoc          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
index ca328cedc1..a79667c7b4 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
@@ -1,5 +1,5 @@
 = The HSM (Hardware Security Module) Daemon (hsmdaemon)
-:toc:
+:toc: right
 :description: Learn how to install ownCloud’s custom HSM (Hardware Security Module) and configure ownCloud to delegate encryption to it.
 :keywords: hsmdaemon, hardware security module, security, pkcs11, softhsm2
 :base64-encoding-url: https://en.wikipedia.org/wiki/Base64

From d1355fc3ba55e44e84ffdca282eefbe1e6a1bbca Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Fri, 5 Apr 2019 09:28:06 +0200
Subject: [PATCH 11/15] Update hsmdaemon support note

---
 modules/admin_manual/nav.adoc                 |   2 +-
 .../{hsmdaemon.adoc => hsmdaemon/index.adoc}  | 112 +-----------------
 .../security/hsmdaemon/install-softhsm2.adoc  | 102 ++++++++++++++++
 3 files changed, 109 insertions(+), 107 deletions(-)
 rename modules/admin_manual/pages/configuration/server/security/{hsmdaemon.adoc => hsmdaemon/index.adoc} (78%)
 create mode 100644 modules/admin_manual/pages/configuration/server/security/hsmdaemon/install-softhsm2.adoc

diff --git a/modules/admin_manual/nav.adoc b/modules/admin_manual/nav.adoc
index 148307643f..522e43c2d2 100644
--- a/modules/admin_manual/nav.adoc
+++ b/modules/admin_manual/nav.adoc
@@ -64,7 +64,7 @@
 **** Security
 ***** xref:configuration/server/security/password_policy.adoc[Password policy]
 ***** xref:configuration/server/security/oauth2.adoc[OAuth2]
-***** xref:configuration/server/security/hsmdaemon.adoc[The HSM (Hardware Security Module) Daemon]
+***** xref:configuration/server/security/hsmdaemon/index.adoc[The HSM (Hardware Security Module) Daemon]
 **** xref:configuration/server/activity_configuration.adoc[Activity Configuration]
 **** xref:configuration/server/antivirus_configuration.adoc[Antivirus Configuration]
 **** xref:configuration/server/automatic_configuration.adoc[Automatic Configuration]
diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
similarity index 78%
rename from modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
rename to modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
index a79667c7b4..e9836e2cb7 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
@@ -7,7 +7,6 @@
 :jwt-url: https://jwt.io/
 :network-sockets-url: https://en.wikipedia.org/wiki/Network_socket
 :opensc-wiki-url: https://github.com/OpenSC/OpenSC/wiki
-:opensuse-security-repositories-url: https://download.opensuse.org/repositories/security/
 :php-exec-function-url: https://www.php.net/manual/en/function.exec.php
 :pkcs11-url: https://en.wikipedia.org/wiki/PKCS_11
 :pkcs11-tool-url: https://linux.die.net/man/1/pkcs11-tool 
@@ -16,9 +15,11 @@
 
 == Introduction
 
-The hsmdaemon is a daemon to delegate encryption to an {hsm-url}[HSM (Hardware Security Module)].
-It can be necessary, as PHP cannot directly interface with {pkcs11-url}[a PKCS11 stack]; neither by an API wrapper, because one does not exist, yet, nor via the OpenSSL bindings
-Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM. 
+The hsmdaemon is a daemon, provided by ownCloud, to delegate encryption to an {hsm-url}[HSM (Hardware Security Module)].
+This can be necessary, as PHP cannot, directly, interface with {pkcs11-url}[a PKCS11 stack]; neither with an API wrapper, because one does not exist, nor via the OpenSSL bindings.
+Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM.
+
+NOTE: For hsmdaemon support, you need ownCloud server >= 10.2.
 
 Running {php-exec-function-url}[exec()] to decrypt the key with a command line command to do the encryption might leak the HSM credentials if the admin lists the currently running processes. 
 To prevent that, an HSM daemon will be used that can open a session to the HSM upon startup. 
@@ -75,108 +76,7 @@ If you are using a different operating system or distribution, please adjust the
 ==== Install Using a Preconfigured PKCS11 Module
 
 At least one PKCS11 library is necessary, which is typically provided by an HSM vendor. 
-
-TIP: If none is available, you can follow the steps below to install a software HSM.
-
-==== Install SoftHSM2 (optional)
-
-If you do not have an HSM-provided PKCS11 library, then you can use {softhsm2-url}[SoftHSM2] instead.
-To do so, follow the instructions for you Linux distribution below.
-
-* xref:install-softhsm2-debian-ubuntu[Debian and Ubuntu]
-* xref:install-softhsm2-opensuse-suse-linux-enterprise-server[openSUSE and SUSE Linux Enterprise Server]
-* xref:install-softhsm2-fedora-red-hat-enterprise-linux-centos[Fedora and Red Hat Enterprise Linux and Centos]
-
-NOTE: Installing these two packages also installs `/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so`, which is a module that we will need later, for interaction with the PKCS11 API.
-
-[[install-softhsm2-debian-ubuntu]]
-===== Install on Debian and Ubuntu
-
-To install SoftHSM2 on either Debian or Ubuntu, run the command below.
-
-[source,console]
-----
-sudo apt-get update
-sudo apt-get install -y softhsm2 libsofthsm2
-----
-
-[[install-softhsm2-opensuse-suse-linux-enterprise-server]]
-===== Install on openSUSE and SUSE Linux Enterprise Server
-
-To install SoftHSM2, you first have to ensure that you have {opensuse-security-repositories-url}[the official security repository] for your server enabled in your server's repositories list. 
-To check if it is, run the command `zypper lr`, which will show you output similar to the following:
-
-[source,console]
-----
-#  | Alias                     | Name                                    | Enabled | GPG Check | Refresh
----+---------------------------+-----------------------------------------+---------+-----------+--------
- 1 | repo-debug                | openSUSE-Leap-15.0-Debug                | No      | ----      | ----   
- 2 | repo-debug-non-oss        | openSUSE-Leap-15.0-Debug-Non-Oss        | No      | ----      | ----   
- 3 | repo-debug-update         | openSUSE-Leap-15.0-Update-Debug         | No      | ----      | ----   
- 4 | repo-debug-update-non-oss | openSUSE-Leap-15.0-Update-Debug-Non-Oss | No      | ----      | ----   
- 5 | repo-non-oss              | openSUSE-Leap-15.0-Non-Oss              | Yes     | (r ) Yes  | Yes    
- 6 | repo-oss                  | openSUSE-Leap-15.0-Oss                  | Yes     | (r ) Yes  | Yes    
- 7 | repo-security             | openSUSE-Leap-15.0-Security             | Yes     | (r ) Yes  | Yes    
- 8 | repo-source               | openSUSE-Leap-15.0-Source               | No      | ----      | ----   
- 9 | repo-source-non-oss       | openSUSE-Leap-15.0-Source-Non-Oss       | No      | ----      | ----   
-10 | repo-update               | openSUSE-Leap-15.0-Update               | Yes     | (r ) Yes  | Yes    
-11 | repo-update-non-oss       | openSUSE-Leap-15.0-Update-Non-Oss       | Yes     | (r ) Yes  | Yes 
-----
-
-TIP: use the `-d` flag to show the URI for each repository as well.
-
-If there is no security repository available, then add it using the following command:
-
-[source,console]
-----
-# Replace <security-repository> with the URL for your distribution and architecture.
-sudo zypper addrepo \
-  --check \
-  --refresh \
-  --name "openSUSE-Leap-15.0-Security" \
-  <security-repository> \
-  "repo-security"
-----
-
-With the repository enabled, install SoftHSM2 by running the following command:
-
-[source,console]
-----
-sudo zypper install -y --auto-agree-with-licenses softhsm
-----
-
-[[install-softhsm2-fedora-red-hat-enterprise-linux-centos]]
-===== Install on Fedora and Red Hat Enterprise Linux and Centos 
-
-To install SoftHSM2 on Fedora and Red Hat Enterprise Linux and Centos, run the command below.
-
-[source,console]
-----
-sudo yum install --assumeyes softhsm
-----
-
-===== Check the Configuration File
-
-Once SoftHSM2 is installed, check that the directory specified by `directories.tokendir` in SoftHSM2's configuration file exists.
-
-[options="headers",cols="3"]
-|===
-|Distribution |Configuration File Location |Tokens Directory
-|Debian and Ubuntu |`/etc/softhsm/softhsm2.conf` .3+|`/var/lib/softhsm/tokens/`
-|openSUSE and SUSE Linux Enterprise Server |`/etc/softhsm2.conf`
-|Fedora and Red Hat Enterprise Linux and Centos |`/etc/softhsm2.conf`
-|===
-
-[source,ini]
-....
-# SoftHSM v2 configuration file
-
-directories.tokendir = /var/lib/softhsm/tokens/
-objectstore.backend = file
-
-# ERROR, WARNING, INFO, DEBUG
-log.level = INFO
-....
+However, if none is available, you can xref:configuration/server/security/hsmdaemon/install-softhsm2.adoc[install a software HSM (SoftHSM2)].
 
 ==== Initialise the Token
 
diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/install-softhsm2.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/install-softhsm2.adoc
new file mode 100644
index 0000000000..6d6d82aa4b
--- /dev/null
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/install-softhsm2.adoc
@@ -0,0 +1,102 @@
+= Install SoftHSM2
+:softhsm2-url: https://www.opendnssec.org/softhsm/
+:opensuse-security-repositories-url: https://download.opensuse.org/repositories/security/
+
+If you do not have an HSM-provided PKCS11 library, then you can use {softhsm2-url}[SoftHSM2] instead.
+To do so, follow the instructions for you Linux distribution below.
+
+* xref:install-softhsm2-debian-ubuntu[Debian and Ubuntu]
+* xref:install-softhsm2-opensuse-suse-linux-enterprise-server[openSUSE and SUSE Linux Enterprise Server]
+* xref:install-softhsm2-fedora-red-hat-enterprise-linux-centos[Fedora and Red Hat Enterprise Linux and Centos]
+
+NOTE: Installing these two packages also installs `/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so`, which is a module that we will need later, for interaction with the PKCS11 API.
+
+[[install-softhsm2-debian-ubuntu]]
+== Install on Debian and Ubuntu
+
+To install SoftHSM2 on either Debian or Ubuntu, run the command below.
+
+[source,console]
+----
+sudo apt-get update
+sudo apt-get install -y softhsm2 libsofthsm2
+----
+
+[[install-softhsm2-opensuse-suse-linux-enterprise-server]]
+== Install on openSUSE and SUSE Linux Enterprise Server
+
+To install SoftHSM2, you first have to ensure that you have {opensuse-security-repositories-url}[the official security repository] for your server enabled in your server's repositories list. 
+To check if it is, run the command `zypper lr`, which will show you output similar to the following:
+
+[source,console]
+----
+#  | Alias                     | Name                                    | Enabled | GPG Check | Refresh
+---+---------------------------+-----------------------------------------+---------+-----------+--------
+ 1 | repo-debug                | openSUSE-Leap-15.0-Debug                | No      | ----      | ----   
+ 2 | repo-debug-non-oss        | openSUSE-Leap-15.0-Debug-Non-Oss        | No      | ----      | ----   
+ 3 | repo-debug-update         | openSUSE-Leap-15.0-Update-Debug         | No      | ----      | ----   
+ 4 | repo-debug-update-non-oss | openSUSE-Leap-15.0-Update-Debug-Non-Oss | No      | ----      | ----   
+ 5 | repo-non-oss              | openSUSE-Leap-15.0-Non-Oss              | Yes     | (r ) Yes  | Yes    
+ 6 | repo-oss                  | openSUSE-Leap-15.0-Oss                  | Yes     | (r ) Yes  | Yes    
+ 7 | repo-security             | openSUSE-Leap-15.0-Security             | Yes     | (r ) Yes  | Yes    
+ 8 | repo-source               | openSUSE-Leap-15.0-Source               | No      | ----      | ----   
+ 9 | repo-source-non-oss       | openSUSE-Leap-15.0-Source-Non-Oss       | No      | ----      | ----   
+10 | repo-update               | openSUSE-Leap-15.0-Update               | Yes     | (r ) Yes  | Yes    
+11 | repo-update-non-oss       | openSUSE-Leap-15.0-Update-Non-Oss       | Yes     | (r ) Yes  | Yes 
+----
+
+TIP: use the `-d` flag to show the URI for each repository as well.
+
+If there is no security repository available, then add it using the following command:
+
+[source,console]
+----
+# Replace <security-repository> with the URL for your distribution and architecture.
+sudo zypper addrepo \
+  --check \
+  --refresh \
+  --name "openSUSE-Leap-15.0-Security" \
+  <security-repository> \
+  "repo-security"
+----
+
+With the repository enabled, install SoftHSM2 by running the following command:
+
+[source,console]
+----
+sudo zypper install -y --auto-agree-with-licenses softhsm
+----
+
+[[install-softhsm2-fedora-red-hat-enterprise-linux-centos]]
+== Install on Fedora and Red Hat Enterprise Linux and Centos 
+
+To install SoftHSM2 on Fedora and Red Hat Enterprise Linux and Centos, run the command below.
+
+[source,console]
+----
+sudo yum install --assumeyes softhsm
+----
+
+== Check the Configuration File
+
+Once SoftHSM2 is installed, check that the directory specified by `directories.tokendir` in SoftHSM2's configuration file exists.
+
+[options="headers",cols="3"]
+|===
+|Distribution |Configuration File Location |Tokens Directory
+|Debian and Ubuntu |`/etc/softhsm/softhsm2.conf` .3+|`/var/lib/softhsm/tokens/`
+|openSUSE and SUSE Linux Enterprise Server |`/etc/softhsm2.conf`
+|Fedora and Red Hat Enterprise Linux and Centos |`/etc/softhsm2.conf`
+|===
+
+[source,ini]
+....
+# SoftHSM v2 configuration file
+
+directories.tokendir = /var/lib/softhsm/tokens/
+objectstore.backend = file
+
+# ERROR, WARNING, INFO, DEBUG
+log.level = INFO
+....
+

From 6b7be0644994bac323359c3fa810fd1c850c3d31 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Tue, 9 Apr 2019 13:26:17 +0200
Subject: [PATCH 12/15] Integrate PM feedback

---
 .../pages/configuration/server/security/hsmdaemon/index.adoc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
index e9836e2cb7..46fea965d0 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
@@ -19,7 +19,8 @@ The hsmdaemon is a daemon, provided by ownCloud, to delegate encryption to an {h
 This can be necessary, as PHP cannot, directly, interface with {pkcs11-url}[a PKCS11 stack]; neither with an API wrapper, because one does not exist, nor via the OpenSSL bindings.
 Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM.
 
-NOTE: For hsmdaemon support, you need ownCloud server >= 10.2.
+NOTE: For hsmdaemon support, you need ownCloud Enterprise Edition >= 10.2. 
+We recommend consulting with us when deploying storage encryption with an HSM.
 
 Running {php-exec-function-url}[exec()] to decrypt the key with a command line command to do the encryption might leak the HSM credentials if the admin lists the currently running processes. 
 To prevent that, an HSM daemon will be used that can open a session to the HSM upon startup. 
@@ -77,6 +78,8 @@ If you are using a different operating system or distribution, please adjust the
 
 At least one PKCS11 library is necessary, which is typically provided by an HSM vendor. 
 However, if none is available, you can xref:configuration/server/security/hsmdaemon/install-softhsm2.adoc[install a software HSM (SoftHSM2)].
+SoftHSM2 is the most simple approach to employ storage encryption with a master key in an HSM. 
+This is because it hands off the master key material to a user other than the web server user.
 
 ==== Initialise the Token
 

From ffda10b3e8841af310623dcadf7570e62ab493b4 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Mon, 6 May 2019 14:35:03 +0200
Subject: [PATCH 13/15] Revised the hsmdaemon/SoftHSM2 documentation

Further updated the documentation based on
[feedback](https://github.com/owncloud/docs/pull/802#discussion_r281145818)
from @butonic.
---
 .../server/security/hsmdaemon/index.adoc      | 11 +++++---
 .../{install-softhsm2.adoc => softhsm2.adoc}  | 25 ++++++++++++++-----
 2 files changed, 26 insertions(+), 10 deletions(-)
 rename modules/admin_manual/pages/configuration/server/security/hsmdaemon/{install-softhsm2.adoc => softhsm2.adoc} (76%)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
index 46fea965d0..ae544ab661 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
@@ -19,6 +19,10 @@ The hsmdaemon is a daemon, provided by ownCloud, to delegate encryption to an {h
 This can be necessary, as PHP cannot, directly, interface with {pkcs11-url}[a PKCS11 stack]; neither with an API wrapper, because one does not exist, nor via the OpenSSL bindings.
 Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM.
 
+When using hsmdaemon with an HSM, the keys are not stored on the same physical machine as ownCloud. 
+As a result, if someone steals the machine that stores your ownCloud instance and boots it outside your network, your data cannot be accessed. 
+As the HSM is not accessible, the keys cannot be read, so they cannot be used to decrypt your data.
+
 NOTE: For hsmdaemon support, you need ownCloud Enterprise Edition >= 10.2. 
 We recommend consulting with us when deploying storage encryption with an HSM.
 
@@ -76,10 +80,9 @@ If you are using a different operating system or distribution, please adjust the
 
 ==== Install Using a Preconfigured PKCS11 Module
 
-At least one PKCS11 library is necessary, which is typically provided by an HSM vendor. 
-However, if none is available, you can xref:configuration/server/security/hsmdaemon/install-softhsm2.adoc[install a software HSM (SoftHSM2)].
-SoftHSM2 is the most simple approach to employ storage encryption with a master key in an HSM. 
-This is because it hands off the master key material to a user other than the web server user.
+At least one PKCS11 library is necessary. 
+This is typically provided by an HSM vendor. 
+If a PKCS11 library is not available, you can xref:configuration/server/security/hsmdaemon/softhsm2.adoc[use the software HSM, _SoftHSM2_].
 
 ==== Initialise the Token
 
diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/install-softhsm2.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/softhsm2.adoc
similarity index 76%
rename from modules/admin_manual/pages/configuration/server/security/hsmdaemon/install-softhsm2.adoc
rename to modules/admin_manual/pages/configuration/server/security/hsmdaemon/softhsm2.adoc
index 6d6d82aa4b..e196dafad7 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/install-softhsm2.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/softhsm2.adoc
@@ -1,7 +1,21 @@
-= Install SoftHSM2
+= SoftHSM2
 :softhsm2-url: https://www.opendnssec.org/softhsm/
 :opensuse-security-repositories-url: https://download.opensuse.org/repositories/security/
 
+SoftHSM2 is a simple approach for employing storage encryption with a master key in an HSM, because it store the keys in place of ownCloud.
+
+== Use SoftHSM2 With hsmdaemon
+
+SoftHSM2 can be used with and xref:configuration/server/security/hsmdaemon/index.adoc[hsmdaemon] to store keys in place of ownCloud; either on the same or a different machine as ownCloud.
+Because keys are stored with a different owner to ownCloud, it prevents the web server (xref:installation/system_requirements.adoc#officially-recommended-supported-options[typically Apache]) from directly reading the key material.
+This helps prevent a malicious actor from reading files, if they can impersonate the web server user.
+However, it doesn't help if the malicious actor can manipulate PHP files and run arbitrary code.
+
+IMPORTANT: If you run SoftHSM2 and hsmdaemon on a different machine on the network, know that the hsmdaemon traffic is not encrypted.
+In this scenario, the systems administrator would need to setup a secure tunnel to encrypt the traffic.
+
+== Install SoftHSM2
+
 If you do not have an HSM-provided PKCS11 library, then you can use {softhsm2-url}[SoftHSM2] instead.
 To do so, follow the instructions for you Linux distribution below.
 
@@ -12,7 +26,7 @@ To do so, follow the instructions for you Linux distribution below.
 NOTE: Installing these two packages also installs `/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so`, which is a module that we will need later, for interaction with the PKCS11 API.
 
 [[install-softhsm2-debian-ubuntu]]
-== Install on Debian and Ubuntu
+=== Install on Debian and Ubuntu
 
 To install SoftHSM2 on either Debian or Ubuntu, run the command below.
 
@@ -23,7 +37,7 @@ sudo apt-get install -y softhsm2 libsofthsm2
 ----
 
 [[install-softhsm2-opensuse-suse-linux-enterprise-server]]
-== Install on openSUSE and SUSE Linux Enterprise Server
+=== Install on openSUSE and SUSE Linux Enterprise Server
 
 To install SoftHSM2, you first have to ensure that you have {opensuse-security-repositories-url}[the official security repository] for your server enabled in your server's repositories list. 
 To check if it is, run the command `zypper lr`, which will show you output similar to the following:
@@ -68,7 +82,7 @@ sudo zypper install -y --auto-agree-with-licenses softhsm
 ----
 
 [[install-softhsm2-fedora-red-hat-enterprise-linux-centos]]
-== Install on Fedora and Red Hat Enterprise Linux and Centos 
+=== Install on Fedora and Red Hat Enterprise Linux and Centos 
 
 To install SoftHSM2 on Fedora and Red Hat Enterprise Linux and Centos, run the command below.
 
@@ -77,7 +91,7 @@ To install SoftHSM2 on Fedora and Red Hat Enterprise Linux and Centos, run the c
 sudo yum install --assumeyes softhsm
 ----
 
-== Check the Configuration File
+=== Check the Configuration File
 
 Once SoftHSM2 is installed, check that the directory specified by `directories.tokendir` in SoftHSM2's configuration file exists.
 
@@ -99,4 +113,3 @@ objectstore.backend = file
 # ERROR, WARNING, INFO, DEBUG
 log.level = INFO
 ....
-

From f6cb5d9467e42864ea942e2b905f8e241825dd9d Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Mon, 6 May 2019 14:59:20 +0200
Subject: [PATCH 14/15] Add table of contents attribute

---
 .../pages/configuration/server/security/hsmdaemon/softhsm2.adoc  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/softhsm2.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/softhsm2.adoc
index e196dafad7..b8ee92431d 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/softhsm2.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/softhsm2.adoc
@@ -1,4 +1,5 @@
 = SoftHSM2
+:toc: right
 :softhsm2-url: https://www.opendnssec.org/softhsm/
 :opensuse-security-repositories-url: https://download.opensuse.org/repositories/security/
 

From 7bcc417e69548981bdb2be1893d39c7f581d74e0 Mon Sep 17 00:00:00 2001
From: Matthew Setter <matthew@matthewsetter.com>
Date: Tue, 7 May 2019 12:07:58 +0200
Subject: [PATCH 15/15] Revise the note about where keys are stored when using
 hsmdaemon and an HSM

---
 .../pages/configuration/server/security/hsmdaemon/index.adoc  | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
index ae544ab661..daa311b13a 100644
--- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
+++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc
@@ -19,9 +19,7 @@ The hsmdaemon is a daemon, provided by ownCloud, to delegate encryption to an {h
 This can be necessary, as PHP cannot, directly, interface with {pkcs11-url}[a PKCS11 stack]; neither with an API wrapper, because one does not exist, nor via the OpenSSL bindings.
 Because of this, a separate process is needed to decrypt anything with the private key stored in an HSM.
 
-When using hsmdaemon with an HSM, the keys are not stored on the same physical machine as ownCloud. 
-As a result, if someone steals the machine that stores your ownCloud instance and boots it outside your network, your data cannot be accessed. 
-As the HSM is not accessible, the keys cannot be read, so they cannot be used to decrypt your data.
+NOTE: When using hsmdaemon with an HSM, the keys _may_ still be stored on the same physical machine as ownCloud.
 
 NOTE: For hsmdaemon support, you need ownCloud Enterprise Edition >= 10.2. 
 We recommend consulting with us when deploying storage encryption with an HSM.