[stunnel-users] keyfile is not encrypted

Michal Trojnara Michal.Trojnara at mirt.net
Wed Jul 15 15:38:05 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Madhava,

I'm not sure which FIPS standard requires encryption keys *not* not be
stored in plaintext.  The standard just does not make sense.
An attacker, who can bypass file permissions to download the private
key, can use the same method to modify stunnel or OpenSSL to save the
key once it is decrypted.

If you can provide the passphrase over the network, you can as well
provide the private key itself...

Mike

On 14.07.2015 01:35, Madhava Gaikwad (madgaikw) wrote:
> Hello,
> 
> I am asking too much, but keyfile with stunnel is required to be
> stored on disk (I am aware about file permission applied) and is in
> plain text. Is there any way we can encrypt the keyfile and then
> store, and then subsequently ask stunnel to obtain the decryption
> key somehow and then use it.
> 
> 
> 
> For encryption/decryption of the key, stunnel (or some other
> program) can give network based ability(service over socket) to
> provide the key so key can be encrypted by the third party(who
> generates the config for stunnel). Stunnel config option will
> specify key is encrypted and therefore stunnel knows why and how to
> decrypt it.
> 
> Of course you will ask me to implement my own custom algo for this,
> but I am checking if anybody has thought about it or in such case,
> how they have worked on it. I was told, there is also basic level
> of FIPS compliance requirement that requires key not to be stored
> on disk in plain text irrespective of file permission.
> 
> 
> 
> 
> 
> Thank you.
> 
> Madhava
> 
> 
> 
> _______________________________________________ stunnel-users
> mailing list stunnel-users at stunnel.org 
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVpmI9AAoJEC78f/DUFuAUGiEQAL0PUZNLvVNuh2YgDeQgiJVS
LbQ3JoiDCUsT+5AzlSFQX2nmcnAH4iDFvK1vQj8TKYzODTcUzJkVxuutKGOOra3U
rypMAm3R0ZUEn5Z43GLVSC7zIeX5z49xkjyDe9oDfrIMy0Q28wfkjBqMKsGc5b5w
7uwBPy4Gq1i/ZYRprSXmONtUpIXcF1iSCFV9imG2Yiwd4e+VxSfhG6LnpXhnKnCb
Heju8JRXQDiWfZn11Jiy7OM7sA4GhA/bwe71uFB9UqO2mkX34lIazVnaYUiyxRJn
jpASNL0+pck3qWyawYOuhGbgiCrcAYh0BTPBMv2Xf2rDwXJyJvBeODzvTlMTuQe2
L2rV7yWCWt4B9KySfgj8hckyvdTm3/UHhNnc9xuf0wTkxxEZciswddPEzGamuxam
dRhijzLx63TU2wBAjZ2EPjnXvqfxFdhZhC1ifyVNwVabKtoIbAohkcPvtUYaACZ5
2AFbXv0M6ePUJoAWwHNv76GjFyogDNW/DvLhRpDlOghQ3z7IqdD0ZXPAHyOzTy3k
F7d/N0DN73PR+QI8DDa7LXlv+qLuVBSDt/hhUtNqrnx34uXqYTJEbASKcZXEYlkb
2Fy2hyzcMHLxrC/gt70jTRUSsImVApZcExcVCMF+TSplAqSpUYYF8SdbKqYfFrw3
Y/22QDLIXpEMP4SXFX46
=tliJ
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list