SoftHSM2
SoftHSM2 is a simple approach for employing storage encryption with a master key in an HSM, because it stores the keys in place of ownCloud.
Use SoftHSM2 With hsmdaemon
SoftHSM2 can be used with and hsmdaemon to store keys in place of ownCloud; either on the same or a different machine as ownCloud. Because keys are stored with a different owner to ownCloud, it prevents the web server (typically Apache) from directly reading the key material. This helps prevent a malicious actor from reading files, if they can impersonate the web server user. However, it doesn’t help if the malicious actor can manipulate PHP files and run arbitrary code.
If you run SoftHSM2 and hsmdaemon on a different machine on the network, know that the hsmdaemon traffic is not encrypted. In this scenario, the systems administrator would need to setup a secure tunnel to encrypt the traffic. |
Install SoftHSM2
If you do not have an HSM-provided PKCS11 library, then you can use SoftHSM2 instead. To do so, follow the instructions for you Linux distribution below.
Installing these two packages also installs /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so , which is a module that we will need later, for interaction with the PKCS11 API.
|
Install on Debian and Ubuntu
To install SoftHSM2 on either Debian or Ubuntu, run the command below.
sudo apt-get update
sudo apt-get install -y softhsm2 libsofthsm2
Install on openSUSE and SUSE Linux Enterprise Server
To install SoftHSM2, you first have to ensure that you have the official security repository for your server enabled in your server’s repositories list.
To check if it is, run the command zypper lr
, which will show you output similar to the following:
# | Alias | Name | Enabled | GPG Check | Refresh
---+---------------------------+-----------------------------------------+---------+-----------+--------
1 | openSUSE-Leap-15.3-1 | openSUSE-Leap-15.3-1 | No | ---- | ----
2 | repo-debug | Debug Repository | No | ---- | ----
3 | repo-debug-non-oss | Debug Repository (Non-OSS) | No | ---- | ----
4 | repo-debug-update | Update Repository (Debug) | No | ---- | ----
5 | repo-debug-update-non-oss | Update Repository (Debug, Non-OSS) | No | ---- | ----
6 | repo-non-oss | Non-OSS Repository | Yes | (r ) Yes | Yes
7 | repo-oss | Main Repository | Yes | (r ) Yes | Yes
8 | repo-sle-debug-update | Update repository with debuginfo for... | No | ---- | ----
9 | repo-sle-update | Update repository with updates from... | Yes | (r ) Yes | Yes
10 | repo-source | Source Repository | No | ---- | ----
11 | repo-update | Main Update Repository | Yes | (r ) Yes | Yes
12 | repo-update-non-oss | Update Repository (Non-Oss) | Yes | (r ) Yes | Yes
Use the -d flag to show the URI for each repository as well.
|
If there is no security repository listed, then add it using the following command for openSUSE Leap 15.3:
sudo zypper addrepo \
--check \
--refresh \
--name "openSUSE-Leap-15.3-Security" \
https://download.opensuse.org/repositories/security/openSUSE_Leap_15.3/security.repo \
"repo-security"
Running zypper lr
again should now display an additional line:
13 | security | openSUSE-Leap-15.3-Security | Yes | (r ) Yes | No
For different Leap versions, SUSE Linux Enterprise or openSUSE Tumbleweed, change the name and modify the product part of the URI as listed in the official security repository.
With the repository enabled, install SoftHSM2 by running the following command:
sudo zypper install -y --auto-agree-with-licenses softhsm
Install on Fedora and Red Hat Enterprise Linux and Centos
To install SoftHSM2 on Fedora and Red Hat Enterprise Linux and Centos, run the command below.
sudo yum install --assumeyes softhsm
Check the Configuration File
Once SoftHSM2 is installed, check that the directory specified by directories.tokendir
in SoftHSM2’s configuration file exists.
Distribution |
Configuration File Location |
Tokens Directory |
Debian and Ubuntu |
|
|
openSUSE and SUSE Linux Enterprise Server |
|
|
Fedora and Red Hat Enterprise Linux and Centos |
|
# SoftHSM v2 configuration file
directories.tokendir = /var/lib/softhsm/tokens/
objectstore.backend = file
# ERROR, WARNING, INFO, DEBUG
log.level = INFO