Are Hoel wrote: > > Well, it would mabe be smart to put all the certs and a startup script with > passphrases on an encrypted disk, where you have to manually mount the > encrypted disk, then run the script. Or you could leave the certs in > unencrypted space, and just have the script encrypted. Then unmount the > encrypted partitionwhen the script has been used? This would require some > manual interaction, but it would secure your script. > I have also been told there is to be a new version of stronghold (I don't > know if this works on *nix though), with a hardware "keyfile" which plugs > into an usb port. With it attached it's possible to mount the partition, > but without it's blocked.
Ha ha ha! Very ironic...... this is a joke, right? No? Oh dear... hardware key-files? This is like "dongles" that you used to have to plug into your parallel port to stop you installing software twice. You see the crazy situations you get into when you convince yourself you need a pass-phrase... The only way I can accpet pass-phrases is if you have a server which must be so secure that it must never, ever, be started without your knowledge and that the certificate must never, ever be used elsewhere. Then you keep the pass-phrase where no hacker can get it - in your head. The downside is that you have to go to the console of the machine and type it in every time you start apache so no automatic reboot or restart. Rgds, Owen Boyle. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
