Nginx HSM integration for SSL termination

gaurav gupta 1989.gaurav at googlemail.com
Mon Jun 15 06:28:46 UTC 2015


Hello Folks,

Currently we store ssl private keys in file on production servers. We are
looking to move SSL keys to HSM for security reasons so private key never
leave HSM. After heart bleed, I found lot of suggestions to move SSL keys
to HSM so keys are inaccessible, but could not find any direct integration
for nginx.

On some search I found Dmitri's patch
http://forum.nginx.org/read.php?29,251983,255297#msg-255297 to support
engine Keyform to load SSL key. I was able to get it working and work like
magic, But as far as I understand its still loaded in memory every time
nginx starts. Benefit of loading ssl key from HSM is that key is not stored
in plain text file, but its still in memory.

Can you please suggest how can we use HSM to perform Asym crypto operations
as well so private key never leave HSM.

PS: I found accessl https://github.com/gozdal/accessl which makes use of
openssl engine mechanism to offload Key storage and crypto operations.

-- 
Thanks & Regards,
Gaurav Gupta


"Quality is never an accident. It is always result of intelligent effort" -
John Ruskin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20150615/edcb09f4/attachment.html>


More information about the nginx-devel mailing list