HI

isn't this a bit futile, if they can get onto the box that has nginx they
can get either the private key or secret to get the private key.

safer would be to make it that you need human interact to start nginx.

But till a memory dump of the app would get you the private key.




On Fri, 16 Nov 2018 at 00:03, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Hello!
>
> On Wed, Nov 14, 2018 at 12:17:57PM -0800, Roger Fischer wrote:
>
> > Hello,
> >
> > does NGINX support any mechanisms to securely access the private
> > key of server certificates?
> >
> > Specifically, could NGINX make a request to a key store, rather
> > than reading from a local file?
> >
> > Are there any best practices for keeping private keys secure?
> >
> > I understand the basics. The key file should only be readable by
> > root. I cannot protect the key with a pass-phrase, as NGINX
> > needs to start and restart autonomously.
>
> You actually can protect the key using a passphrase, see
> http://nginx.org/r/ssl_password_file. Though this might not be
> the best idea due to basically the same security provided, while
> involving higher complexity.
>
> Also, you can use "engine:..." syntax to load keys via OpenSSL
> engines. This allows using various complex key stores, including
> hardware tokens, to access keys, though may not be trivial to
> configure.
>
> --
> Maxim Dounin
> http://mdounin.ru/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx