Hi Alex, our device is unattended, not always on, and in some cases in only semi-secured locations. Besides preventing root access, we also need to protect against the hacking of a stolen device (or disk).
Human interaction is not practical (other than in exceptional situations). Roger > On Nov 15, 2018, at 2:41 PM, Alex Samad <a...@samad.com.au> wrote: > > HI > > isn't this a bit futile, if they can get onto the box that has nginx they can > get either the private key or secret to get the private key. > > safer would be to make it that you need human interact to start nginx. > > But till a memory dump of the app would get you the private key. > > > > > On Fri, 16 Nov 2018 at 00:03, Maxim Dounin <mdou...@mdounin.ru > <mailto:mdou...@mdounin.ru>> wrote: > Hello! > > On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote: > > > Hello, > > > > does NGINX support any mechanisms to securely access the private > > key of server certificates? > > > > Specifically, could NGINX make a request to a key store, rather > > than reading from a local file? > > > > Are there any best practices for keeping private keys secure? > > > > I understand the basics. The key file should only be readable by > > root. I cannot protect the key with a pass-phrase, as NGINX > > needs to start and restart autonomously. > > You actually can protect the key using a passphrase, see > http://nginx.org/r/ssl_password_file <http://nginx.org/r/ssl_password_file>. > Though this might not be > the best idea due to basically the same security provided, while > involving higher complexity. > > Also, you can use "engine:..." syntax to load keys via OpenSSL > engines. This allows using various complex key stores, including > hardware tokens, to access keys, though may not be trivial to > configure. > > -- > Maxim Dounin > http://mdounin.ru/ <http://mdounin.ru/> > _______________________________________________ > nginx mailing list > nginx@nginx.org <mailto:nginx@nginx.org> > http://mailman.nginx.org/mailman/listinfo/nginx > <http://mailman.nginx.org/mailman/listinfo/nginx> > _______________________________________________ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
