<div dir="ltr"><div><div><div>Hello Maxim,<br><br></div>Thanks for your prompt response. OpenSSL engine responsible for the behavior makes lot of sense. I am sorry since "pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0);" confused me and made me assume that its getting loaded during startup.<br><br></div>I am using engine_pkcs11 to integrate with HSM. I will dive deeper in the engine code to understand and tweak behavior. <br><br></div>Thanks again for your help.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 15, 2015 at 7:42 PM, Maxim Dounin <span dir="ltr"><<a href="mailto:mdounin@mdounin.ru" target="_blank">mdounin@mdounin.ru</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello!<br>
<span class=""><br>
On Mon, Jun 15, 2015 at 11:58:46AM +0530, gaurav gupta wrote:<br>
<br>
> Hello Folks,<br>
><br>
> Currently we store ssl private keys in file on production servers. We are<br>
> looking to move SSL keys to HSM for security reasons so private key never<br>
> leave HSM. After heart bleed, I found lot of suggestions to move SSL keys<br>
> to HSM so keys are inaccessible, but could not find any direct integration<br>
> for nginx.<br>
><br>
> On some search I found Dmitri's patch<br>
> <a href="http://forum.nginx.org/read.php?29,251983,255297#msg-255297" rel="noreferrer" target="_blank">http://forum.nginx.org/read.php?29,251983,255297#msg-255297</a> to support<br>
> engine Keyform to load SSL key. I was able to get it working and work like<br>
> magic, But as far as I understand its still loaded in memory every time<br>
> nginx starts. Benefit of loading ssl key from HSM is that key is not stored<br>
> in plain text file, but its still in memory.<br>
><br>
> Can you please suggest how can we use HSM to perform Asym crypto operations<br>
> as well so private key never leave HSM.<br>
><br>
> PS: I found accessl <a href="https://github.com/gozdal/accessl" rel="noreferrer" target="_blank">https://github.com/gozdal/accessl</a> which makes use of<br>
> openssl engine mechanism to offload Key storage and crypto operations.<br>
<br>
</span>The patch in question was committed in 1.7.9, and available all<br>
recent versions of nginx. It allows to load keys from arbitrary<br>
OpenSSL engines, and what "load" means depends on the engine used.<br>
That is, it's up to OpenSSL engine to avoid actual loading of keys<br>
into memory.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" rel="noreferrer" target="_blank">http://nginx.org/</a><br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Thanks & Regards,<br>Gaurav Gupta<div>7676-999-350<br><br>"Quality is never an accident. It is always result of intelligent effort" - John Ruskin<br></div></div>
</div>