You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently for Endless OS we use a smart card for signing as described here. This requires a physical machine while the rest of our infrastructure is on AWS. We'd like to use AWS KMS for signing to remove the need for the physical machine. KMS uses FIPS compliant HSMs, but they are shared among customers.
Presuming that we can ensure secure access to KMS, would this be acceptable for shim? I can go into more detail about how we'd use the service if needed. The CA key would continue to be stored and used offline as before.
The text was updated successfully, but these errors were encountered:
Currently for Endless OS we use a smart card for signing as described here. This requires a physical machine while the rest of our infrastructure is on AWS. We'd like to use AWS KMS for signing to remove the need for the physical machine. KMS uses FIPS compliant HSMs, but they are shared among customers.
Presuming that we can ensure secure access to KMS, would this be acceptable for shim? I can go into more detail about how we'd use the service if needed. The CA key would continue to be stored and used offline as before.
The text was updated successfully, but these errors were encountered: