From a957b537d01504117a5c66e30eff4ca9527da7d2 Mon Sep 17 00:00:00 2001 From: Martin Date: Wed, 23 Jun 2021 10:01:36 +0200 Subject: [PATCH] [10.7] [PR 3710] hsmdaemon install consistency and accuracy Backport of PR #3710 --- .../pages/configuration/server/security/hsmdaemon/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc index 39051f84a2..89f31a20e6 100644 --- a/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc +++ b/modules/admin_manual/pages/configuration/server/security/hsmdaemon/index.adoc @@ -28,7 +28,7 @@ Running {php-exec-function-url}[exec()] to decrypt the key with a command line c This daemon will be used by ownCloud to decrypt the current master key upon request. The communication happens via {unix-sockets-url}[UNIX sockets] or {network-sockets-url}[TCP sockets] and is authorized by a shared token that the daemon stores in the ownCloud database via a REST/JSON route. -ownCloud internally uses OpenSSL to encrypt and decrypt keys and needs to be extended to support en-/decrypt operations via the new daemon. The current solution encrypts the ownCloud master key with a key from the HSM. +ownCloud internally uses OpenSSL to encrypt and decrypt keys and that is extended to support en-/decrypt operations via the new daemon. The current solution encrypts the ownCloud master key with a key from the HSM. NOTE: From the technical point of view the `Crypt` class is extended to handle the key generation in the HSM device and also to get the key from HSM. For the read/write operation on a file, the request goes to the HSM and then, based on the keys fetched from HSM, the files are encrypted or decrypted. The keys are not replaced.