Smart Card and TPM DNSSEC HowTo - Richard Lamb 2012 See web page for more detailed and updated info We have 3 smart card examples and one TPM example: For smart cards: get a USB smartcard reader (SCR331 $12) get a smartcard (Aventra $11) boot DVD and login as root password dnssec Note: If not using the Aventra myid smasrt card, replace PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so" with different pkcs11 library in various scripts such as: carderase cardrng cardsign genksk-sc genzsk-sc signem-sc signzone-99 signzone-sc Routines that also depend on Aventra card: carddel carderase cardshow cardwrite Offline Smart Card KSK + online software ZSKs carderase (123456 for PIN and Security Officer PIN if asked) export DOMAIN=yourdomain (not ending dot) optional: export TEST="yes" (short signature times for testing) cardrng (in a second terminal window. PIN from above.) genzsk genksk (filename like "temp") Stop cardrng cardwrite (CKA_LABEL like "Kdate", filename and PIN from above.) cardshow cardsign (passphrase to encrypt keybundles, KSK CKA_LABEL and PIN from above) optional: signzone (passphrase for keybundles needed. starts local nameserver and runs sample signer process) Offline Smart Card KSK + online ZSKs carderase (123456 for PIN and Security Officer PIN if asked) export DOMAIN=yourdomain (not ending dot) optional: export TEST="yes" (short signature times for testing) genzsk-sc (PIN from above.) genksk-sc (PIN from above.) cardsign-sc (KSK CKA_LABEL is what genksk-sc returned, e.g., Kyourdomain.+008+17118) optional: signzone-sc (starts local nameserver and runs sample signer process) Online Smart Card KSK + ZSKs + automated in-line signing carderase (123456 for PIN and Security Officer PIN if asked) export DOMAIN=yourdomain (not ending dot) optional: export TEST="yes" (short signature times for testing) signzone-99 (PIN from above. Generates KSK, ZSK, starts local nameserver as automated in-line signer) TPM Work Note, trousers, opencrptoki, tpm-tools are very finicky and building a local version for debugging requires pulling in a lot of cruft. Opencryptoki is a moving target but version 2.4 seems to have attained some stability but beware of old TPM systems that will fail after a few thousand C_Signs. Versions for this demo on Centos 6.0: tpm-tools-1.3.4-2.el6.i686.rpm tpm-tools-pkcs11-1.3.4-2.el6.i686.rpm opencryptoki-2.4.2-2. el6.i686.rpm opencryptoki-libs-2.4.2-2. el6.i686.rpm trousers-0.3.4-4. el6.i686.rpm Online TPM KSK + ZSKs + automated in-line signing REBOOT MACHINE AND GO TO BIOS TO ACTIVATE AND CLEAR TPM FIRST. /etc/init.d/tcsd start (should return "OK") tpm_version (should return TPM info) tpm_createek (this may not need to be done unless the TPM has never been initialized) tpm_takeownership (this will take a while generating 2048 bit SRK on the TPM. Try again if an I/O error occurs.) tpm_restrictsrk -a (just for password. for this and other TPM error messages, see /var/log/messages) /etc/init.d/pkcsslotd stop (may already be stopped but to make sure) rm -rf /tmp/.pkcs11spinloc /var/lib/opencryptoki/tpm /etc/init.d/pkcsslotd start (should return "OK") tpmtoken_init -l debug (123456 for security officer and user. Note: do not use 87654321 for SO or 12345678 for user. This will take a while) pkcsconf -t (to check that all worked) export DOMAIN=yourdomain (no ending dot) optional: export TEST="yes" (short signature times for testing) signzone-tpm (PIN from above. This will take a while. enerates KSK, ZSK, starts local nameserver as automated in-line signer) END UPDATE 16 August 2013 New work based on OpenSC 0.13.0 and Smartcard HSM by http://www.cardcontact.de/products/SmartCard-HSM_V1.0.pdf These have many more HSM features such as the ability to securely export/import private key material between cards i.e., make backups. NEW FILES First card: hcarderase hgenwrapkey Other cards: hcarderase hcardclone himportshare himportshare Gen KSK (on any card): hgenksk hwrapkey Backup cards: hunwrapkey Show contents: hcardshow Delete item: hcarddel Updated PKCS11 BIND modification (for dnssec-signzone): opensslrsa_link.c Offline Smart Card KSK + Online software ZSKs Create a temporary directory and make it the default: mkdir tmp; cd tmp hcarderase (Use 123456 for PIN and Security Officer PIN if asked) hmakeshares - to make two files with encrypted key shares (dkek-share-*.pbe) to be later used to make backup copies of keys. Please note passwords. himportshare dkek-share-1.pbe himportshare dkek-share-2.pbe export DOMAIN=yourdomain (not ending dot) optional: export TEST="yes" (short signature times for testing) In a second terminal window execute "hcardrng". PIN from above. If you want to now test the RNG, in another window do "cat /dev/random | rngtest", wait a minute, and then ctrl-C. rngtest should return some stats.) hgenzsk - to generate two software ZSKs using random numbers from card Stop hcardrng (ctrl-C) and exit out of that window hgenksk - to generate a KSK inside the card. Note the "label:" field. hcardshow - to see what is on the card. For these cards, only the private key is stored on the card. The public key is in a file suffixed with ".pub". optional: (See Below) make KSK backup cards hcardsign - will generate a bunch of pre-KSK-signed DNSKEY RRsets for future use. (Use "abc" for passphrase to encrypt keybundles, KSK CKA_LABEL and PIN from above) optional: hsignzone (Use "abc" for passphrase for keybundles. starts local nameserver and runs sample signer process to maintain signatures) Making Smartcard HSM Backup cards: With current card: hwrapkey - to export and encrypted (wrapped with shares) copy of the private key in a file (.wrap suffix) Insert new card hcarderase himportshare dkek-share-1.pbe (sc-hsm-tool is the main OpenSC utility for this card. Without any arguments, it should display card status.) himportshare dkek-share-2.pbe hunwrapkey - responding with the file creates above (e.g. *.wrap) hcardshow - should show the key in the card Repeat above steps for additional cards