Secure Certificate Storage: LUKS vs. SoftHSM

G5 Cyber Security

1 week ago

TL;DR

Both LUKS and SoftHSM can securely store certificates, but they offer different levels of protection and convenience. LUKS encrypts the entire disk partition, providing broader security but requiring more setup. SoftHSM creates a dedicated hardware-backed key store for your certificates, offering stronger isolation but potentially being less flexible. For most users, SoftHSM is the better choice if you need strong certificate protection without full disk encryption.

Understanding the Options

Let’s break down each method:

LUKS (Linux Unified Key Setup): This encrypts a whole partition on your hard drive. Your certificates would be stored within files on that encrypted partition. Access requires unlocking the LUKS volume with a passphrase or keyfile.
SoftHSM: A software-based Hardware Security Module (HSM). It emulates a hardware HSM, providing a secure place to store cryptographic keys and perform operations like signing certificates. Certificates themselves are often stored alongside their private keys within the SoftHSM’s protected storage.

Step-by-step Guide: Setting up SoftHSM

Install SoftHSM2: Use your distribution’s package manager.

sudo apt install softhsm2  # Debian/Ubuntu

sudo yum install softhsm   # CentOS/RHEL/Fedora

Create a SoftHSM token: This creates the secure storage area.
```
softhsm2-init -type pkcs11 --label 'MyCertToken' --pin 12345678
```
Important: Choose a strong PIN. This PIN protects access to your keys.
Configure PKCS#11 URI: SoftHSM uses the PKCS#11 standard for accessing its storage.
The URI will typically be something like pkcs11:token=MyCertToken. Note this down; you’ll need it later.

Import your Certificate and Private Key: Use OpenSSL or a similar tool to import the certificate and key into SoftHSM.

openssl pkcs12 -i mycert.p12 -nokeys -out cert.pem -nodes

openssl pkcs12 -i mycert.p12 -nocerts -out key.pem -nodes

pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --label 'MyCertToken' --pin 12345678 --import cert.pem --type cert

pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --label 'MyCertToken' --pin 12345678 --import key.pem --type privkey

Verify the Import: List the objects in your SoftHSM token to confirm they are present.

pkcs11-tool --module /usr/lib/softhsm/libsofthsm2.so --label 'MyCertToken' --pin 12345678 --list

Step-by-step Guide: Using LUKS for Certificate Storage

Create an Encrypted Partition: Use a tool like cryptsetup to create and encrypt a partition.
```
sudo cryptsetup luksFormat /dev/sdX1
```
Warning: This will erase all data on the specified partition. Back up any important files first.
Open the Encrypted Partition: Mount the encrypted partition after unlocking it.
```
sudo cryptsetup luksOpen /dev/sdX1 myencryptedvolume
```
Create a Filesystem: Format the unlocked volume with a filesystem (e.g., ext4).
```
sudo mkfs.ext4 /dev/mapper/myencryptedvolume
```
Mount the Filesystem: Mount the newly formatted filesystem.
```
sudo mount /dev/mapper/myencryptedvolume /mnt/certs
```
Store Certificates: Copy your certificates into the /mnt/certs directory.

Unmount and Close: Unmount the filesystem when finished.

sudo umount /mnt/certs

sudo cryptsetup luksClose myencryptedvolume

Security Considerations

PIN Security: Both methods rely on a PIN. Choose strong, unique PINs and protect them carefully.
Key Backup: Back up your SoftHSM token or LUKS header in a secure location. Losing these means losing access to your certificates.
Physical Security: Protect the physical security of your machine. If someone gains physical access, they could potentially compromise either system.
cyber security best practices: Keep your operating system and software up-to-date with the latest security patches.