[stunnel-users] keyfile is not encrypted
Michal.Trojnara at mirt.net
Wed Jul 15 15:38:05 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
I'm not sure which FIPS standard requires encryption keys *not* not be
stored in plaintext. The standard just does not make sense.
An attacker, who can bypass file permissions to download the private
key, can use the same method to modify stunnel or OpenSSL to save the
key once it is decrypted.
If you can provide the passphrase over the network, you can as well
provide the private key itself...
On 14.07.2015 01:35, Madhava Gaikwad (madgaikw) wrote:
> I am asking too much, but keyfile with stunnel is required to be
> stored on disk (I am aware about file permission applied) and is in
> plain text. Is there any way we can encrypt the keyfile and then
> store, and then subsequently ask stunnel to obtain the decryption
> key somehow and then use it.
> For encryption/decryption of the key, stunnel (or some other
> program) can give network based ability(service over socket) to
> provide the key so key can be encrypted by the third party(who
> generates the config for stunnel). Stunnel config option will
> specify key is encrypted and therefore stunnel knows why and how to
> decrypt it.
> Of course you will ask me to implement my own custom algo for this,
> but I am checking if anybody has thought about it or in such case,
> how they have worked on it. I was told, there is also basic level
> of FIPS compliance requirement that requires key not to be stored
> on disk in plain text irrespective of file permission.
> Thank you.
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the stunnel-users