If you're assuming that the machine is compromised by a savvy attacker, then yeah, he would read the key out of RAM. But I'd argue that it's a couple of degrees harder to get a memory dump and know what to do with it than finding and stealing a file that says ultra-secure-ssl-key-do-not-steal-please.crt.
Another option, and if you're doing heavy SSL you should consider this anyway, is to use an appliance that does the SSL for you. This goes between the router/firewall and the web server, and handles all the SSL traffic, encrypting and decrypting in the middle. The web server never even knows that it's doing SSL sessions. By "appliance" I can be referring to either a commercial device, or there are some how-tos on doing it with Squid, iirc -ray wrote: > True, but if it's in Apache memory, the key is still online. As far as I > know Apache doesn't do any in-memory key protection, so an intruder could > just dump Apache memory and the key should be in there clear text. > > A more common practice is to put a passphrase on the private key. This is > pretty inconvenient as you have to type in the passphrase at every apache > restart. And if an intruder can read your filesystem protected key file, > then the server is probably compromised anyway (see 1st paragraph). > > If Apache did some kind of memory protection on the key, then some of the > protection techniques we've been discussing might be feasible. Otherwise > they're probably just obfuscation. > > ray > > > On Wed, 28 Nov 2007, Tim Fournet wrote: > > >> Actually, you only need the private key when _starting_ apache. After >> it's started, it's loaded in memory and you can take your key offline. >> Some people go through the trouble of protecting their keys by doing >> things like only having the volume with the private keys mounted during >> a startup process, then making the server unable to reach them >> afterwards. One option would be to keep the keys on a USB drive, and >> removing that drive after apache starts. Or maybe create a modified >> filesystem driver that only works if `uptime` is less than a certain >> amount, and format your ssl-key partition with that filesystem >> > > _______________________________________________ > General mailing list > General at brlug.net > http://mail.brlug.net/mailman/listinfo/general_brlug.net >
