I agree, NFS would be a bad idea.
I could probably burn the keys on to a CD and use that when I reboot. The
rest of the time, I could store the CD in a secure location.
I have also been reading about how it is relatively easy to scan through
memory (assuming you have root permission) and locate a key. I'm not sure
how to defend against this kind of attack, except to make sure that your
system is secure. If an attacker can gain root access, he can probably get
the private key somehow.
Jeff
At 06:28 PM 8/30/00 +0200, you wrote:
>On Wed, Aug 30, 2000 at 09:53:04AM -0500, [EMAIL PROTECTED] wrote:
> > Does anyone have any information about how to secure the private keys for
> > my websites? If someone manages to hack my webserver, I don't want
> them to
> > be able to access my private keys.
>
>They will still be loaded in memory as long as the webserver is running.
> >
> > I would like to store the private keys on a separate high-security system
> > and have mod_ssl read them via a network connnection when I start the
> server.
> >
>You could of course place the files on an NFS share, but that would IMHO
>be a very bad idea. If you want something automatic, that will allow your
>webserver to connect to a remote system and read the keys from that every
>time it is restarted, then it would be really easy for an attacker to fire
>up a sligthly modified version of Apache and just have it save a copy of
>the key. If you don't mind a bit of manual labor when the server is restarted,
>then you could just put the key on a floppy (or other removable media) and
>only have that media in the machine on those rare occasions where you need
>to restart apache.
>
>vh
>
>Mads Toftum
>--
>`Darn it, who spiked my coffee with water?!' - lwall
>______________________________________________________________________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List [EMAIL PROTECTED]
>Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
