Nginx HSM integration for SSL termination

Maxim Dounin mdounin at
Mon Jun 15 14:12:44 UTC 2015


On Mon, Jun 15, 2015 at 11:58:46AM +0530, gaurav gupta wrote:

> Hello Folks,
> Currently we store ssl private keys in file on production servers. We are
> looking to move SSL keys to HSM for security reasons so private key never
> leave HSM. After heart bleed, I found lot of suggestions to move SSL keys
> to HSM so keys are inaccessible, but could not find any direct integration
> for nginx.
> On some search I found Dmitri's patch
>,251983,255297#msg-255297 to support
> engine Keyform to load SSL key. I was able to get it working and work like
> magic, But as far as I understand its still loaded in memory every time
> nginx starts. Benefit of loading ssl key from HSM is that key is not stored
> in plain text file, but its still in memory.
> Can you please suggest how can we use HSM to perform Asym crypto operations
> as well so private key never leave HSM.
> PS: I found accessl which makes use of
> openssl engine mechanism to offload Key storage and crypto operations.

The patch in question was committed in 1.7.9, and available all 
recent versions of nginx.  It allows to load keys from arbitrary 
OpenSSL engines, and what "load" means depends on the engine used.  
That is, it's up to OpenSSL engine to avoid actual loading of keys 
into memory.

Maxim Dounin

More information about the nginx-devel mailing list