Welcome! Log In Create A New Profile

Advanced

Re: Nginx HSM integration for SSL termination

Maxim Dounin
June 15, 2015 10:14AM
Hello!

On Mon, Jun 15, 2015 at 11:58:46AM +0530, gaurav gupta wrote:

> Hello Folks,
>
> Currently we store ssl private keys in file on production servers. We are
> looking to move SSL keys to HSM for security reasons so private key never
> leave HSM. After heart bleed, I found lot of suggestions to move SSL keys
> to HSM so keys are inaccessible, but could not find any direct integration
> for nginx.
>
> On some search I found Dmitri's patch
> http://forum.nginx.org/read.php?29,251983,255297#msg-255297 to support
> engine Keyform to load SSL key. I was able to get it working and work like
> magic, But as far as I understand its still loaded in memory every time
> nginx starts. Benefit of loading ssl key from HSM is that key is not stored
> in plain text file, but its still in memory.
>
> Can you please suggest how can we use HSM to perform Asym crypto operations
> as well so private key never leave HSM.
>
> PS: I found accessl https://github.com/gozdal/accessl which makes use of
> openssl engine mechanism to offload Key storage and crypto operations.

The patch in question was committed in 1.7.9, and available all
recent versions of nginx. It allows to load keys from arbitrary
OpenSSL engines, and what "load" means depends on the engine used.
That is, it's up to OpenSSL engine to avoid actual loading of keys
into memory.

--
Maxim Dounin
http://nginx.org/

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

Nginx HSM integration for SSL termination

gaurav gupta 3698 June 15, 2015 02:30AM

Re: Nginx HSM integration for SSL termination

Maxim Dounin 1847 June 15, 2015 10:14AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 148
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready