I need to use openssl with keys stored on a distant KMS.
How can I do this?
I've seen specific projects about openssl using AWS keys (1) or Google cloud keys (2).
Stil I found no KMIP-generic solution.
(1) https://github.com/nakedible/openssl-engine-kms
(2) https://cloud.google.com/kms/docs/reference/pkcs11-openssl
So far I built pkcs11 and libp11 DLLs from OpenSC/libp11 project (https://github.com/OpenSC/libp11).
Openssl loads the pkcs11 engine.
I feel I'm getting nearer...
... but I'm lacking a pkcs11 driver that would use kmip as a backend.
Does such a driver exist?
-- or --
The KMS also has a REST API.
Are there solutions to bridge an existing openssl engine with a rest API?
Precisions:
- this is for use on a windows11 system
- the targetted KMS is OVH KMS (OVH responded they dont have a dedicated driver for now), but I think the problematic is wider than just a specific KMS provider.