1STRENGTH.CONF(5)                 openCryptoki                 STRENGTH.CONF(5)
2
3
4

NAME

6       strength.conf - Configuration file for openCryptoki strength configura‐
7       tion.
8
9

DESCRIPTION

11       openCryptoki uses  a  strength  configuration  file  at  /etc/opencryp‐
12       toki/strength.conf
13
14       This  configuration file allows users to configure openCryptoki crypto‐
15       graphic key strength determination based on key attributes.  This  file
16       is required by openCryptoki.
17
18

SYNTAX

20       This  file  starts  with  a  version  specification of the form version
21       strength-0 followed by the definition of various strengths.
22
23
24       Each strength definition is composed of a strength, brackets  and  key-
25       value pairs.
26
27        strength number
28        {
29            ...
30        }
31
32       Supported  numbers  are  112, 128, 192, and 256 representing the corre‐
33       sponding strength in bits.
34
35       Note: These definitions are optional.  If a definition is  missing,  no
36       key  can  have the strength.  If no strength definition is present, all
37       keys will have strength 0.
38
39       More than one key-value pair may be used within a strength description.
40
41       A key-value pair is composed of keyword = value where value is  an  un‐
42       signed number.
43
44       The following keywords are valid:
45
46
47       MOD_EXP
48              Specifies  the  minimum  number of bits required for RSA moduli,
49              and DH and DSA primes such that the corresponding key is of  the
50              currently defined strength.
51
52              Note:  This key-value pair is optional.  If not present, no RSA,
53              DH, or DSA key can have the currently defined strength.
54
55       ECC    Specifies the minimum number of bits in the prime field  of  the
56              elliptic  curve  such  that the corresponding key is of the cur‐
57              rently defined strength.
58
59              Note: This key-value pair is optional.  If not  present,  no  EC
60              key can have the currently defined strength.
61
62       SYMMETRIC
63              Specifies the minimum number of bits required for symmetric keys
64              such that the corresponding key  is  of  the  currently  defined
65              strength.
66
67              Note:  This key-value pair is optional.  If not present, no sym‐
68              metric key can have the currently defined strength.
69
70       digest Specifies the minimum size in bits of digest outputs required by
71              the currently defined strength.
72
73              Note:  This  key-value  pair  is optional.  If not present, this
74              strength definition does not constrain the size of digests.
75
76       signature
77              Specifies the minimum size in bits of signatures required by the
78              currently defined strength.
79
80              Note:  This  key-value  pair  is optional.  If not present, this
81              strength definition does not constrain the size of signatures.
82
83

NOTES

85       The strength configuration file has to be owned  by  root:pkcs11,  have
86       mode  0640,  and  be  parsable.   Otherwise,  openCryptoki  will return
87       CKR_FUNCTION_FAILED on C_Initialize and log a corresponding message  to
88       syslog detailing the reason why the strength configuration could not be
89       used.  In this case, fix the problem described in syslog to be able  to
90       use openCryptoki again.
91
92
93       The  pound  sign ('#') is used to indicate a comment.  Both the comment
94       character and any text after it, up to the end of  the  line,  are  ig‐
95       nored.  The  comment  character  can be used at the beginning of a line
96       (including before the file version specification), after a  value,  and
97       before and after the braces.
98
99

SEE ALSO

101       strength.conf(5),
102       opencryptoki(7),
103       /usr/share/doc/opencryptoki/strength-example.conf
104
105
106
1073.20.0                          September 2021                STRENGTH.CONF(5)
Impressum