Crypt::Passphrase::Pepper::HSM - A pepper-wrapper using hardware for Crypt::Passphrase
my $passphrase = Crypt::Passphrase->new( encoder => { module => 'Pepper::HSM', provider => '/usr/lib/pkcs11/some-pkcs11.so', active => '3', inner => { module => 'Argon2', output_size => 32, }, }, );
This module wraps another encoder to pepper the input to the hash. By using identifiers for the peppers, it allows for easy rotation of peppers. Unlike Crypt::Passphrase::Pepper::Simple it stores the peppers in a hardware security module (or some other PKCS11 implementation of choice) to ensure their confidentiality.
It will be able to validate both peppered and unpeppered hashes but only create the former.
This creates a new pepper encoder. It takes the following named arguments:
inner
This contains an encoder specification identical to the encoder field of Crypt::Passphrase. It is mandatory.
encoder
Crypt::Passphrase
provider
The path to the PKCS11 provider. This is mandatory.
slot
The slot used on the provider, this defaults to the first listed slot.
active
This is the identifier of the active pepper. This is mandatory.
prefix
The prefix that is used when looking up keys in the HSM. It defaults to 'pepper-'.
'pepper-'
pin
The PIN that is used for logging in, if any.
user_type
The type of user you're logging in with. This defaults to 'user', and you're unlikely to want to change that.
algorithm
This is the algorithm that's used for peppering. Supported values are 'sha1-hmac', 'sha224-hmac', 'sha256-hmac', 'sha384-hmac', and 'sha512-hmac' (the default).
'sha1-hmac'
'sha224-hmac'
'sha256-hmac'
'sha384-hmac'
'sha512-hmac'
This prehashes the $password using the given $algorithm and $identifier.
$password
$algorithm
$identifier
Leon Timmermans <leont@cpan.org>
This software is copyright (c) 2023 by Leon Timmermans.
This is free software; you can redistribute it and/or modify it under the same terms as the Perl 5 programming language system itself.
To install Crypt::Passphrase::HSM, copy and paste the appropriate command in to your terminal.
cpanm
cpanm Crypt::Passphrase::HSM
CPAN shell
perl -MCPAN -e shell install Crypt::Passphrase::HSM
For more information on module installation, please visit the detailed CPAN module installation guide.