Safest way to store TLS private keys without a security module
I am using BeableBone Black devices running Debian which communicate securely with an AWS server over TLS using signed certificates.
I need to store my private keys securely on the devices. The best way to store these is by using a separate hardware security module or TPM connected to the BeagleBone which I don't have just yet.
Just by using the available flash memory, what would be the most secure way that I can store the keys? My applications will of course need access to the keys without any user intervention.
Does encrypting the keys make any sense, for example by using dm-crypt? Decryption of the keys I guess will require a password, but then this password must be stored securely too? What about an encrypted partition?
linux debian encryption dm-crypt beagleboneblack
asked 10 hours ago
Engineer999Engineer999
31319
add a comment |
I am using BeableBone Black devices running Debian which communicate securely with an AWS server over TLS using signed certificates.
I need to store my private keys securely on the devices. The best way to store these is by using a separate hardware security module or TPM connected to the BeagleBone which I don't have just yet.
Just by using the available flash memory, what would be the most secure way that I can store the keys? My applications will of course need access to the keys without any user intervention.
Does encrypting the keys make any sense, for example by using dm-crypt? Decryption of the keys I guess will require a password, but then this password must be stored securely too? What about an encrypted partition?
linux debian encryption dm-crypt beagleboneblack
asked 10 hours ago
Engineer999Engineer999
31319
dm-crypt/encrypt partitions is for physical security; in run-time you are good as a sitting duck. Just design the network parameter security for those machines being able to go out, but not getting any (direct) connections from the Internet.
– Rui F Ribeiro
10 hours ago
@RuiFRibeiro I don't understand sorry
– Engineer999
9 hours ago
add a comment |
I am using BeableBone Black devices running Debian which communicate securely with an AWS server over TLS using signed certificates.
I need to store my private keys securely on the devices. The best way to store these is by using a separate hardware security module or TPM connected to the BeagleBone which I don't have just yet.
Just by using the available flash memory, what would be the most secure way that I can store the keys? My applications will of course need access to the keys without any user intervention.
Does encrypting the keys make any sense, for example by using dm-crypt? Decryption of the keys I guess will require a password, but then this password must be stored securely too? What about an encrypted partition?
linux debian encryption dm-crypt beagleboneblack
asked 10 hours ago
Engineer999Engineer999
31319
I am using BeableBone Black devices running Debian which communicate securely with an AWS server over TLS using signed certificates.
I need to store my private keys securely on the devices. The best way to store these is by using a separate hardware security module or TPM connected to the BeagleBone which I don't have just yet.
Just by using the available flash memory, what would be the most secure way that I can store the keys? My applications will of course need access to the keys without any user intervention.
Does encrypting the keys make any sense, for example by using dm-crypt? Decryption of the keys I guess will require a password, but then this password must be stored securely too? What about an encrypted partition?
linux debian encryption dm-crypt beagleboneblack
linux debian encryption dm-crypt beagleboneblack
asked 10 hours ago
Engineer999Engineer999
31319
asked 10 hours ago
Engineer999Engineer999
31319
asked 10 hours ago
Engineer999Engineer999
31319
asked 10 hours ago
Engineer999Engineer999
31319
asked 10 hours ago
Engineer999Engineer999
31319
31319
dm-crypt/encrypt partitions is for physical security; in run-time you are good as a sitting duck. Just design the network parameter security for those machines being able to go out, but not getting any (direct) connections from the Internet.
– Rui F Ribeiro
10 hours ago
@RuiFRibeiro I don't understand sorry
– Engineer999
9 hours ago
add a comment |
dm-crypt/encrypt partitions is for physical security; in run-time you are good as a sitting duck. Just design the network parameter security for those machines being able to go out, but not getting any (direct) connections from the Internet.
– Rui F Ribeiro
10 hours ago
@RuiFRibeiro I don't understand sorry
– Engineer999
9 hours ago
dm-crypt/encrypt partitions is for physical security; in run-time you are good as a sitting duck. Just design the network parameter security for those machines being able to go out, but not getting any (direct) connections from the Internet.
– Rui F Ribeiro
10 hours ago
dm-crypt/encrypt partitions is for physical security; in run-time you are good as a sitting duck. Just design the network parameter security for those machines being able to go out, but not getting any (direct) connections from the Internet.
– Rui F Ribeiro
10 hours ago
@RuiFRibeiro I don't understand sorry
– Engineer999
9 hours ago
@RuiFRibeiro I don't understand sorry
– Engineer999
9 hours ago
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505328%2fsafest-way-to-store-tls-private-keys-without-a-security-module%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505328%2fsafest-way-to-store-tls-private-keys-without-a-security-module%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
dm-crypt/encrypt partitions is for physical security; in run-time you are good as a sitting duck. Just design the network parameter security for those machines being able to go out, but not getting any (direct) connections from the Internet.
– Rui F Ribeiro
10 hours ago
@RuiFRibeiro I don't understand sorry
– Engineer999
9 hours ago