By encrypting using RSA private key, you have gained nothing - because anyone can decrypt using the corresponding Public Key. If you encrypt using the Public Key, how would you decrypt? You have a chicken-egg problem.
Not sure if encrypting using AES key (only) is considered secure enough but it is perhaps better than any other in-band approach. Upon decrypting with AES, I would store the key in an inaccessible manner (like on a CD, not on a hard drive of a PC connected to internet, etc). And destroy the AES key? Maybe there are better solutions out there. _____ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Peter Lin Sent: Monday, October 26, 2009 1:21 PM To: openssl-users@openssl.org Subject: Key security problem Hi folks, I have a problem about key security. If a RSA private key is encrypted by an AES key, which is again encrypted by the same RSA private key itself, is this considered as a secure procedure? Obtaining the encrypted RSA private key and the AES key, is there any way to "calculate" or "recover" the private key by some methods like solving an equation? The reason for this strange design is that, the plain text RSA private key is stored in some hardware chip which can only do en/decryption but cannot pass the key out. However, I need to save a copy of the private key in a unsafe place for other purpose, but need to make sure its safety. Also it is not desired to maintain two sets of keys, so here comes the idea to encrypt a key with itself. Hope I have explained it clearly. Any opinion or better suggestion is appreciated. Peter Lin
