-
Type:
New Feature
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: OpenDNSSEC 2.0
-
Fix Version/s: None
-
Component/s: Enforcer
-
Labels:None
We came across a use case for deleting keys from the HSM/KASP.
During testing we created a few keys with ods-ksmutil, which later were deleted using ods-hsmutil. The problem is those keys who have never been used left a trace on the KASP, and there is no way (unless to hack into the KASP) to delete those traces.
Let's assume that an operator has a policy with keys of certain size, and pre-generates a pool of keys for a long period. If at some point during that period they need to change the key size of the policy, and generate new keys, they will end up with a few unused keys who will sit-up forever in the HSM and the KASP. Those keys won't be deleted by "purge", because they are not in DEAD state.
The proposed interface for the command could be
ods-ksmutil key delete --cka_id LOCATOR [--force]
If the key is in the GENERATE state, could be deleted without any side effect.
If the key is in any other state, the key won't be deleted and the command will complain. That behavior can be overridden by the --force option.