Securing the HTTPS private key
Maxim Dounin
mdounin at mdounin.ru
Thu Nov 15 13:03:14 UTC 2018
Hello!
On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:
> Hello,
>
> does NGINX support any mechanisms to securely access the private
> key of server certificates?
>
> Specifically, could NGINX make a request to a key store, rather
> than reading from a local file?
>
> Are there any best practices for keeping private keys secure?
>
> I understand the basics. The key file should only be readable by
> root. I cannot protect the key with a pass-phrase, as NGINX
> needs to start and restart autonomously.
You actually can protect the key using a passphrase, see
http://nginx.org/r/ssl_password_file. Though this might not be
the best idea due to basically the same security provided, while
involving higher complexity.
Also, you can use "engine:..." syntax to load keys via OpenSSL
engines. This allows using various complex key stores, including
hardware tokens, to access keys, though may not be trivial to
configure.
--
Maxim Dounin
http://mdounin.ru/
More information about the nginx
mailing list