如何存储OpenSSL密钥
[英]How to store OpenSSL keys
问题描述
I have a private and a public key in my Linux system. 
我的Linux系统中有一个私钥和一个公钥。 What is the best way to store the private key? 存储私钥的最佳方法是什么? Is there a proper directory? 有适当的目录吗? Do I need to create a user to own the key? 我需要创建一个用户来拥有密钥吗? How to improve the key protection? 如何提高按键保护能力?
2 个解决方案
解决方案1
1 2016-01-05 13:18:59
If you're just storing keys (don't need them for any application on that host), it's common practice to store them somewhere inside your HOME directory (bonus if you're the superuser), restricting permissions to u=r,go= (or 0400 ). 如果您只是存储密钥(该主机上的任何应用程序都不需要密钥),通常的做法是将密钥存储在HOME目录中的某个位置(如果您是超级用户,则奖励),将权限限制为u=r,go= (或0400 )。 Private keys are better protected if stored as PKCS #12 (encrypted format), preferably using a strong password . 如果将私钥存储为PKCS#12 (加密格式),则最好得到更好的保护,最好使用强密码 。
CAUTION : These simple practices alone don't guarantee your host won't be compromised, allowing an attacker to retrieve your certs/keys when you decrypt & use them. 注意 :仅这些简单的实践并不能保证您的主机不会受到损害,从而使攻击者在解密和使用它们时可以检索您的证书/密钥。
解决方案2
1 2016-01-05 19:50:00
The best place to store a private key is in a smart card or hardware security module. 存储私钥的最佳位置是在智能卡或硬件安全模块中。 It can be used, but never stolen that way. 可以使用它,但绝不能那样偷。
The next best place is by using access control. 第二好的地方是使用访问控制。 Have it owned and readable only by you and readable only by the process that needs to read it. 只有您自己拥有和阅读它,并且仅由需要阅读的过程才能阅读。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.