On 9/12/07, Thomas Charron <[EMAIL PROTECTED]> wrote: > Anyone ever use a passphrase protected private key with apache, and > found a way to provide the passkey safely to apache without requiring > the passphrase be typed in each time the private key is used?
Contradictory goals. The idea behind a passphrase is that someone who steals the key can't use it because the passphrase only exists in wetware (you brain). The idea behind unattended startup is wetware is not to be involved. You can put the passphrase in a file, of course, but then the attacker just steals the passphrase file. You haven't secured anything, you've just moved the problem around. Some people put the key on an external medium (say, a floppy diskette, CD-ROM, or USB flash drive), and physically remove the medium except during Apache startup. This means you're safer against a remote attack, but now someone still has to be there to do the medium attachment, and that someone can still use the medium to read the passphrase, so you might as well just tell them the passphrase. Or write it on a Post-It note and stick it to the CRT, along with instructions on how to type it in when the system is sitting there during boot prompting for it. -- Ben _______________________________________________ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/