12. Security Module

Starting with LinOTP 2.5 it is supported to store the encryption key in Hardware Security Modules. Encryption and decryption can be performed in such a hardware module. LinOTP implements a concept of a security module abstraction layer i.e. even the old encryption key stored at /etc/linotp2/encKey now is handled via a security module. New modules can be added easily. To define a module you need to configure this in the linotp.ini file. If you do not add anything, the old encryption key functionality is used.:

linotpActiveSecurityModule = lunasa
linotpSecurity.lunasa.module = linotpee.lib.security.pkcs11.Pkcs11SecurityModule

You can define several modules. LinOTP at the moment comes with a PKCS11 security module. To define, which module should be used the key linotpActiveSecurityModule is used which takes the identifier of the module. To define a new module, you use the key linotpSecurity.lunasa.module, where “lunasa” is the identifier or the name of the module and the key takes the Python module.

The following keys are configuration that depend on the chosen module. In this case the PKCS11 module.:

#Config depending on module
linotpSecurity.lunasa.library = libCryptoki2_64.so
linotpSecurity.lunasa.configHandle = 21
linotpSecurity.lunasa.valueHandle = 22
linotpSecurity.lunasa.tokenHandle = 23
linotpSecurity.lunasa.defaultHandle = 22
linotpSecurity.lunasa.slotid = 1

12.1. PKCS11 module and SafeNet LunaSA

library
defines the PKCS11 so library in your filesystem.
slotid
is the slot of the PKCS11 module to use.
The configHandle, valueHandle and tokenHandle
are the handles within the slot of the corresponding AES keys to do the encryption and decryption of the OTP PIN, of configuration values, OTP keys and passwords. The defaultHandle is used, If one of the other Handles is not defined.

12.2. Password handling

Usually the PKCS11 device needs a password to access the slot. This password can either be defined in the linotp.ini file or needs to be passed to the LinOTP server after it has started. To define it in linotp.ini do it like this:

linotpSecurity.lunasa.password = YourPassword

To pass the password later to the LinOTP server you can use the linotpadm.py command line client:

% linotpadm.py --admin=admin --url=https://localhost -C securitymodule --module=default
      python yubikey module not available.
      please get it from https://github.com/Yubico/python-yubico if you want to enroll yubikeys
      No module named yubico
      Please enter password for 'admin':
      Please enter password for security module 'default':
      { u'status': True,
      u'value': { u'setupSecurityModule': { u'activeSecurityModule': u'default',
      u'connected': True}}}

To check the status of the security module you can do this:

% linotpadm.py --admin=admin --url=https://localhost -C securitymodule
      python yubikey module not available.
      please get it from https://github.com/Yubico/python-yubico if you want to enroll yubikeys
      No module named yubico
      Please enter password for 'admin':
      { u'status': True,
      u'value': { u'setupSecurityModule': { u'activeSecurityModule': u'default',
      u'connected': True}}}