I am trying do draft up a secure way to encrypt (on the fly, invoking it from an app) and decrypt sensible information (credit cards) using AES-256.
The target platform is:
cat /etc/release
Solaris 10 10/09 s10s_u8wos_08a SPARC
The optimal solution would be to be able to save the keys inside a Key Store, and use encrpyt/decrypt (paired with UUENCODE so that the resulting encrypted string can be saved inside a normal DB field).
We have succesfully tested the whole chain using just AES-128 (out-of-the-box with a basic Solaris install) and we understand we need to upgrade the target env. with the correct Solaris package to get to AES-256 [SUNWcry package – the unbundled Solaris Data Encryption Kit].
What escapes me is how to make "encrypt" access a key from the keystore. Oracle documentation mentions "-K" as a command line parameter (note this is an uppercase K) to do this (see here, for example), but the "-K" switch seems not to be available on our test machine.
Is this possible? Is this linked to the specific Solaris version? If not, can we obtain this by installing something else? (We haven't yet installed the crypto package to get to AES-256 so no idea if this will come "for free" with that).
Best Answer
I saw the comment that said this issue was closed for you, but I felt compelled to reach out to another Solaris user.
The
encryptanddecryptcommands are provided by the SUNWcsu package, not the SUNWcrypt package.The
-Koption comes in Solaris 11.Another option for you might be to roll your own solution, if you can write code. here's an example:
http://blogs.oracle.com/sprack/entry/using_solaris_softtoken_keystore
Or use another solution as well, based on an encrypted ZFS filesystem to protect either the keystore or the data, or both. here's an example of that:
http://www.c0t0d0s0.org/archives/7055-Protecting-your-data-with-two-factors-and-ZFS-dataset-encryption.html
If you stored the encrypt/decrypt key (
-k key, not-K keystore) on an encrypted filesystem, your application stack could use the currentencrypt/decryptbinaries to do your work.Or, just roll out Solaris 11, which drops GA next week. :)