Hi Luveh,
no, those metadata are rather about each key: if it is a KSK or ZSK, if
it is active or just published, or retired and when...
The "path" to the HSM is only in Knot configuration.
Unfortunately, the internals and binary format of KASP database is not
described anywhere. It can be just deducted from Knot's source code, but
I understand how effortly it is to dive into it...
https://gitlab.nic.cz/knot/knot-dns/-/blob/master/src/knot/dnssec/kasp/kasp…
Libor
Dne 05. 08. 21 v 22:23 Luveh Keraph napsal(a):
Thanks. My assumption is that the metadata contains
information that
will enable knot to get the HSM to access the correct private key when
this key is needed, right?
This aside, do you guys have any documents where the KASP database is
described in detail?
On Thu, Aug 5, 2021 at 2:10 PM libor.peltan <libor.peltan(a)nic.cz
<mailto:libor.peltan@nic.cz>> wrote:
Hi Luveh,
I agree the quoted sentence from the documentation is pretty
brief, and thus inaccurate.
The KASP database always contains just the public keys and some
key metadata.
The private keys are stored in a keystore, i.e. PEM files or
(Soft)HSM according to configuration.
This is also true for new keys generated with keymgr.
Thanks anyway for your question,
Libor
Dne 05. 08. 21 v 21:50 Luveh Keraph napsal(a):
> Tha man page for keymgr says that the keymgr generate command
> (quote) Generates new DNSSEC key and stores it in KASP database.
> (unquote)
>
> What is exactly stored in the KASP database?
>
> The reason I am asking is because the actual cryptographic key
> will be available in the clear only when using the default key
> store. When using an HSM (or event softhsm) only the HSM will
> have access to the key in the clear. So, what is it that gets
> stored in the KASP database when an HSM is used for generating keys?
>
>
>