Replies: 2 comments
-
|
Hi, I have a few comments on this - no software solution is usable as an HSM in production, because the H stands for hardware. A software solution simply cannot guarantee the same security (e.g. resistance to key leaks and memory dumps).
Bouncy HSM was designed from the beginning as a development tool and for deployment in QA/test environments. Almost half of the code would need to be rewritten for FIPS compatibility, because in many places I bypass security so that the inside of the HSM could be accessed via the GUI. You would need to buy the FIPS version of the BouncyCastle library, and pay for certification for 250,000 - 1,500,000 USD (according to ChatGPT). |
Beta Was this translation helpful? Give feedback.
-
|
I looked at it more closely and the FIPS compliant Vault instance uses a real HSM. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
As we are today, there is only 1 software based HSM Solution, which is from Hashicorp vault with PKCS#11 Intergration that can truly be used in production, that i'm aware of.
As we know, BouncyHsm and SoftHsm are both developmet platforms.
I think the world could do with an open source alternative to expensive HSM Devices and HSM Cloud Services.
What would it take to make BouncyHsm FIPS compliant and make it the go-to solution for Open Source HSM Implementations in Production?
Would you consider entertaining this?
Beta Was this translation helpful? Give feedback.
All reactions