DER is just as easily readable with openssl. Encrypting the private key may help, but would need a password, which must be provided. If you have a secure enough way to provide the password, that way could provide the unencrypted pem as well!
The most secure way is limiting the let's lifetime to days, and issue a new key on every restart, e.g. from HashiCorp's vault. -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
