[strongSwan-dev] VICI API for sending decrypt password for RSA private key

Andreas Steffen andreas.steffen at strongswan.org
Wed Jan 6 07:20:10 CET 2016 

Hi Harry,

the loading of private keys is not handled by starter but by the
stroke plugin through processing of /etc/ipsec.secrets. Thus the
decryption of protected private key files is done directly by the
charon daemon via the stroke plugin.

Best regards

Andreas

On 06.01.2016 06:19, Harry Chan-Maestas wrote:
> Hi Andreas,
>
> Thank you for clarification.
>
> So is the "starter" process doing something similar when processing
> ipsec.secrets? Basically, I was looking something like
>
> : RSA /<private key file>/ [ /<passphrase>/ | /%prompt/ ]
>
> through VICI.
>
> Harry
>
> On Tue, Jan 5, 2016 at 9:04 PM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
>     Hi Harry,
>
>     yes your assumption is correct. swanctl decrypts protected private
>     keys and sends them as plaintext via VICI to the charon daemon.
>
>     Best regards
>
>     Andreas
>
>
>     On 06.01.2016 03:59, Harry Chan-Maestas wrote:
>
>         Hi,
>
>         Is this assumption/understanding correct? Going through the swantcl
>         code, it seems that the way it deals with encrypted private keys
>         is by
>         reading the key, decrypting it, and sending the decrypted
>         version to Charon.
>
>         If this is not the case, would anyone know what is the API to
>         send the
>         encrypted RSA private key and the decrypt password to Charon
>         through VICI?
>
>         Thank you in advance,
>
>         Harry
>
>
>     ======================================================================
>     Andreas Steffen andreas.steffen at strongswan.org
>     <mailto:andreas.steffen at strongswan.org>
>     strongSwan - the Open Source VPN Solution! www.strongswan.org
>     <http://www.strongswan.org>
>     Institute for Internet Technologies and Applications
>     University of Applied Sciences Rapperswil
>     CH-8640 Rapperswil (Switzerland)
>     ===========================================================[ITA-HSR]==
>
>

-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4275 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20160106/f10e1c1e/attachment.bin>

More information about the Dev mailing list