On January 30, SAFIRE generated a new metadata signing key which will be used to sign all of the Federation’s metadata aggregates.
Key generation was done at a ceremony at TENET’s Wynberg offices in the presence of an observer from the University of Cape Town. Reasonable precautions were taken ensure the integrity of the new key, in accordance with our key management practice statement.
The key was generated by in hardware by a NitroKey HSM smart-card based hardware security module. During the ceremony, this was plugged into an offline, air-gapped computer booted using an Ubuntu 16.0.1 LTS live DVD. All drivers and other packages were stock Ubuntu packages, and were verified against the publisher’s checksums before being installed in the clean environment. All writable media used for this exercise was kept in sealed original packaging until shortly before it was needed and unsealed media was not left unattended prior to the completion of the exercise.
Whilst still offline, the newly generated keys were replicated using the Smartcard HSM’s DKEK encrypted backup and restore mechanism, creating three copies of the key on separate HSMs. One of these HSMs is currently used to perform metadata signings, while the remaining two provide cold backups.
Finally, new SAML signing keys were generated for both the federation hub and the identity provider proxies. These are not stored on the HSM, but took advantage of the clean environment we had set up to ensure than unencrypted private key material was never exposed to the Internet.
At the completion of the exercise, the spare HSMs and backups of the DKEK shares were placed into sealed, tamper evident envelopes and deposited into separate safes. The keys for these safes are under the control of different people.
The in-use HSM is plugged into an internal USB slot within the chassis of the server hosting our metadata aggregator. This is in turn located within a locked private cage within the controlled environment of a commercial data centre. This significantly restricts physical access to the HSM to authorised TENET staff.
Update: a more detailed description of this is now available.