Well, it would mabe be smart to put all the certs and a startup script with passphrases on an encrypted disk, where you have to manually mount the encrypted disk, then run the script. Or you could leave the certs in unencrypted space, and just have the script encrypted. Then unmount the encrypted partitionwhen the script has been used? This would require some manual interaction, but it would secure your script. I have also been told there is to be a new version of stronghold (I don't know if this works on *nix though), with a hardware "keyfile" which plugs into an usb port. With it attached it's possible to mount the partition, but without it's blocked.
At 11:19 29.11.2001 +0100, you wrote: > > perhaps if the script was on another machine the far side of a one-way > > firewall ? > >Sneaky... But I'm a root-privileged hacker on the web-server, remember. >So all I have to do is make the same request of your "pass-phrase >server" that the web-server makes when it boots then get the pass-phrase >from the reply. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]