Skip to content

cryhod.md

Latest commit

 

History

History
102 lines (62 loc) · 2.85 KB

cryhod.md

File metadata and controls

102 lines (62 loc) · 2.85 KB

Prim'X CRYHOD

The Cosmian KMS can be used to unlock Prim'x CRYHOD partitions

Configuring Prim'X CRYHOD

If you get the following pop-up when trying to encrypt a disk

Need additional Configuration

Additional configuration is required.

Launch the CRYHOD policies application.

CRYHOD policies app

Configure the P131 policy:

CRYHOD_P131

For testing, you can set the value to th.

Configure the P821 policy:

CRYHOD_P821

For testing, you can keep the default values.

Configuring the location of the PKCS#11 provider using the policy P296

CRYHOD_p296

Enter the full path of the cosmian_pkcs11.dll as the value name and leave the value empty.

Note: if you change the value, kill all CRYHOD processes or restart for the change to take into effect

Encrypting a partition

Launch Computer Encryption Center

CRYHOD_cyc

And select the partition to encrypt.

Then select Key stored in a smart card or USB device (PKCS#11)

CRYHOD_pkcs11

Click next; the Comsian KMS should appear in the list

CRYHOD_cosmian_kms

Click next

Adjusting the KMS location and authentication

The configuration file is located in the User home .cosmian sub-directory, in the ckms.toml file.

See Authenticating users to the KMS to learn how to configure the KMS to use Open ID Connect or certificate authentication. Please note that the KMS can also manage the machines' certificates.

Here is an example configuration file for the PKCS#11 provider library accessing the KMS using a PKCS#12 file for authentication.

[http_config]
server_url = "https://kms.acme.com:9999"
ssl_client_pkcs12_path = "./certificates/machine123.acme.p12"
ssl_client_pkcs12_password = "machine123_pkcs12_password"

Viewing the logs

By default, the logs are available in the User home .cosmian sub-directory.

Get-Content -path C:\<USER HOME>\.cosmian\cosmian-pkcs11.log -wait

The log level can be adjusted using the COSMIAN_PKCS11_LOGGING_LEVEL environment variable.

setx COSMIAN_PKCS11_LOGGING_LEVEL "debug"

Creating an RSA private key and Certificate to use with CRYHOD

Create an RSA key with 2048 bits and the disk-encryption tag. This tag is the default tag searched. The value can be changed by setting the COSMIAN_PKCS11_DISK_ENCRYPTION_TAG environment variable.

cosmian.exe rsa keys create -s 2048 -t disk-encryption
          Public key unique identifier: ec572e57-eab0-481c-9393-805a11c12ac0_pk
          Private key unique identifier: ec572e57-eab0-481c-9393-805a11c12ac0