Supporting cryptographic policies for openCryptoki

Edit online

For openCryptoki, you can apply global policies to restrict the usage of unwanted mechanisms and keys. The policy is guided by the notion of cryptographic strength. You can specify a minimal strength, allowed mechanisms, and a way to derive the strength for a given key. openCryptoki then blocks all keys that are not strong enough and mechanisms that are not allowed. The policy is set globally for all applications using openCryptoki.

Applying a cryptographic policy to openCryptoki applications is based on two configuration files. You just need to adapt the strength configuration file strength.conf that is preinstalled in /etc/opencryptoki, and create the policy configuration file policy.conf into this openCryptoki folder as shown:


/etc/opencryptoki/strength.conf
/etc/opencryptoki/policy.conf

The strength configuration is mandatory. If you install openCryptoki from the source package, a default strength configuration file based on NIST recommendations is installed if no strength configuration exists. Only the root user can modify this file. A valid strength configuration file is prerequisite for activating a policy defined in the policy configuration file. However, a policy configuration is optional.

The strength configuration file is also used for collecting statistics. The key strength as defined by that file determines under which strength a key is counted.