Future plans for local key management
0 views
Skip to first unread message
Milan Satpathy
Jul 15, 2024, 6:37:28 AM (yesterday) Jul 15
to theupdate...@googlegroups.com, Corey Minyard
Hi,
I have used an older version of TUF (containing repository_tools) in our earlier implementation.
In my attempt to utilize v 5.0 of python-tuf, I am facing a few challenges to password-encrypt and store the
keys to the local disk. As I understand earlier versions utilized library calls like _generate_and_write_rsa_keypair
from securesystemslib.interface to perform this task ( Even the latest version of RSTUF still utilizes this ). However,
ssl has deprecated the interface module now.
So going forward, If I am not using any cloud based KMS what should be my options to generate, encrypt (with password) and store the
keys in a local environment ? Are there any supported 3rd party libraries to achieve this objective?
Regards,
Milan
Lukas Pühringer
Jul 15, 2024, 6:59:41 AM (yesterday) Jul 15
to Milan Satpathy, The Update Framework (TUF), Corey Minyard
Hi,
Thanks for reaching out! To sign TUF Metadata the new python-tuf library takes an object, which implements the Signer interface. For file-based rsa, ecdsa and ed25519 keys, you can take a look at CryptoSigner [1].
Unfortunately, we no longer provide API to generate encrypted private key files. However, you can now create them in a standard pkcs8/pem format (e.g. with the `openssl` command [2]) and load them as CryptoSigner as described in “Using an existing private key” in [1].
Let me know if you need more help.
Kind regards,
Lukas
[1] https://github.com/secure-systems-lab/securesystemslib/blob/main/docs/CRYPTO_SIGNER.md
[2] https://github.com/in-toto/in-toto/issues/662
> --
> You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/CAOjUHMwkfsC-3n%3DDNeLVTKo1YdO5jjAXST-zn6c%2BTsx2KO9R9g%40mail.gmail.com.
Thanks for reaching out! To sign TUF Metadata the new python-tuf library takes an object, which implements the Signer interface. For file-based rsa, ecdsa and ed25519 keys, you can take a look at CryptoSigner [1].
Unfortunately, we no longer provide API to generate encrypted private key files. However, you can now create them in a standard pkcs8/pem format (e.g. with the `openssl` command [2]) and load them as CryptoSigner as described in “Using an existing private key” in [1].
Let me know if you need more help.
Kind regards,
Lukas
[1] https://github.com/secure-systems-lab/securesystemslib/blob/main/docs/CRYPTO_SIGNER.md
[2] https://github.com/in-toto/in-toto/issues/662
> You received this message because you are subscribed to the Google Groups "The Update Framework (TUF)" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to theupdateframew...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/theupdateframework/CAOjUHMwkfsC-3n%3DDNeLVTKo1YdO5jjAXST-zn6c%2BTsx2KO9R9g%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages