For software signing I want to use a “single” Nitrokey HSM that can be used by multiple engineers. The key is for safety reasons not permanently attached to a PC or server.
Whenever the HSM is used I want to put the user name, actions and used keys in an audit log. My idea is to run a process on a server to control access and use the HSM connected to the Windows PC of the engineers.
But how the connect remotely to the HSM?
Wen having a Windows Remote Desktop connection I’m able to access the HSM on the client PC without any problems, so this could also be part of the solution.
Instead of a PIN I like to login on the HSM with a public key handshake but can’t find a way how to do this without using 2 HSM locally. I see how to add public keys but not how to use them (on Windows)
It’s embedded software so basically some (python) scripts are supplied to perform the actions around the signing.
Mainly a binary file is generated, this should result in a signature file that will be used somehow by the tools. So selecting a key label, uploading a file and download the signature together with the user information is the bare minimum. No UI is needed as we like to do it automated as much as possible, for audit purposes the user is not defined by the HSM but by the actual user as the HSM is a shared tool between several people that don’t know the PIN
