On Wed, Aug 30, 2000 at 09:53:04AM -0500, [EMAIL PROTECTED] wrote:
> Does anyone have any information about how to secure the private keys for
> my websites? If someone manages to hack my webserver, I don't want them to
> be able to access my private keys.
They will still be loaded in memory as long as the webserver is running.
>
> I would like to store the private keys on a separate high-security system
> and have mod_ssl read them via a network connnection when I start the server.
>
You could of course place the files on an NFS share, but that would IMHO
be a very bad idea. If you want something automatic, that will allow your
webserver to connect to a remote system and read the keys from that every
time it is restarted, then it would be really easy for an attacker to fire
up a sligthly modified version of Apache and just have it save a copy of
the key. If you don't mind a bit of manual labor when the server is restarted,
then you could just put the key on a floppy (or other removable media) and
only have that media in the machine on those rare occasions where you need
to restart apache.
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
