Securing the HTTPS private key

Maxim Dounin mdounin at
Thu Nov 15 13:03:14 UTC 2018


On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:

> Hello,
> does NGINX support any mechanisms to securely access the private 
> key of server certificates?
> Specifically, could NGINX make a request to a key store, rather 
> than reading from a local file?
> Are there any best practices for keeping private keys secure?
> I understand the basics. The key file should only be readable by 
> root. I cannot protect the key with a pass-phrase, as NGINX 
> needs to start and restart autonomously.

You actually can protect the key using a passphrase, see  Though this might not be 
the best idea due to basically the same security provided, while 
involving higher complexity.

Also, you can use "engine:..." syntax to load keys via OpenSSL 
engines.  This allows using various complex key stores, including 
hardware tokens, to access keys, though may not be trivial to 

Maxim Dounin

More information about the nginx mailing list