backup system for signing keys with good bus factor
We need a way to securely maintain signing key backups that does not have bus factor issues. The general idea is:
- Signing keys must be stored in a Hardware Security Model (HSM).
- We have worked with Nitrokey HSM, and followed the Nitrokey NetHSM
- We agreed that no single contributor should be able to unlock the backup (e.g. n-of-m scheme).
@Bubu did great work in getting Nitrokey HSM working for importing keys from Java keystores into a Nitrokey HSM via the DKEK Share backup mechanism. Thanks to him, it is also possible to securely store and use thousands of APK signing keys using a Nitrokey HSM, which only has something like 50 slots using a "wrapped keys" mechanism based on DKEK Share. This mechanism provides use with a cheap, secure way to backup all of our signing keys so that we can have more than one copy. This approach might also work for production signing server #873.
There have been many discussions about doing this, so I'm trying to document what I remember since @obfusk is starting to work on it. Please correct me or add anything I missed.