Question about keychains/securing access to encryption keys
Posted: Mon Oct 04, 2010 7:44 pm
Hi,
Quick background to this question:
I'm working on a web application that will need to encrypt/decrypt data. I'm fully aware of what the issues are with storing private keys on a web server but in this instance there's no alternative so I came up with the following 'scheme':
1. encrypt the data with a symmetric key
2. encrypt the symmetric key with a public/private key pair
3. encrypt the private key with a passphrase
I've since found out that this is how Weave works so I took this as a sign that if Mozilla can do this kind of thing then so can I
However, what I now need to do is find a way to store the keys in some kind of keychain so that they can't be easily copied or removed from the server. This keychain also needs to be accessible from my PHP scripts of course.
My questions are:
1. Can I use GnuPG's in-built functions to create a secure keychain or do I really need a dedicated app?
2. When SSL certificates are installed on Un*x/Linux servers, how are they secured?
3. Once someone's entered the correct passphrase once, is there a sensible way to re-authenticate the decryption process without keeping the passphrase in memory somewhere?
Thanks in advance,
Mecha Godzilla
Quick background to this question:
I'm working on a web application that will need to encrypt/decrypt data. I'm fully aware of what the issues are with storing private keys on a web server but in this instance there's no alternative so I came up with the following 'scheme':
1. encrypt the data with a symmetric key
2. encrypt the symmetric key with a public/private key pair
3. encrypt the private key with a passphrase
I've since found out that this is how Weave works so I took this as a sign that if Mozilla can do this kind of thing then so can I
My questions are:
1. Can I use GnuPG's in-built functions to create a secure keychain or do I really need a dedicated app?
2. When SSL certificates are installed on Un*x/Linux servers, how are they secured?
3. Once someone's entered the correct passphrase once, is there a sensible way to re-authenticate the decryption process without keeping the passphrase in memory somewhere?
Thanks in advance,
Mecha Godzilla