Hello Maxim, Thanks for your prompt response. OpenSSL engine responsible for the behavior makes lot of sense. I am sorry since "pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);" confused me and made me assume that its getting loaded during startup.
I am using engine_pkcs11 to integrate with HSM. I will dive deeper in the engine code to understand and tweak behavior. Thanks again for your help. On Mon, Jun 15, 2015 at 7:42 PM, Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Mon, Jun 15, 2015 at 11:58:46AM +0530, gaurav gupta wrote: > > > Hello Folks, > > > > Currently we store ssl private keys in file on production servers. We are > > looking to move SSL keys to HSM for security reasons so private key never > > leave HSM. After heart bleed, I found lot of suggestions to move SSL keys > > to HSM so keys are inaccessible, but could not find any direct > integration > > for nginx. > > > > On some search I found Dmitri's patch > > http://forum.nginx.org/read.php?29,251983,255297#msg-255297 to support > > engine Keyform to load SSL key. I was able to get it working and work > like > > magic, But as far as I understand its still loaded in memory every time > > nginx starts. Benefit of loading ssl key from HSM is that key is not > stored > > in plain text file, but its still in memory. > > > > Can you please suggest how can we use HSM to perform Asym crypto > operations > > as well so private key never leave HSM. > > > > PS: I found accessl https://github.com/gozdal/accessl which makes use of > > openssl engine mechanism to offload Key storage and crypto operations. > > The patch in question was committed in 1.7.9, and available all > recent versions of nginx. It allows to load keys from arbitrary > OpenSSL engines, and what "load" means depends on the engine used. > That is, it's up to OpenSSL engine to avoid actual loading of keys > into memory. > > -- > Maxim Dounin > http://nginx.org/ > -- Thanks & Regards, Gaurav Gupta 7676-999-350 "Quality is never an accident. It is always result of intelligent effort" - John Ruskin
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
