Hi,
Are there any plans to add support for PKCS#11 on a deployed Mender server? There is for the clients, but the private key of the server has still to be in plain text.
Best Regards,
Hello @sandevins ,
No plans for this at the moment, as the server typically lives in a more secure / tamper proof environment than the client…
That said, we’re open to pull requests, but I am afraid this is a major change because I think it would require all crypto operations in the server be switched to using OpenSSL.
Dear @eystein,
It’s true that it should be in a more secure environment. But the server usually is a target for attackers and by stealing the secret key that mender uses would allow to impersonate such server.
Regards,