-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Madhava,
I'm not sure which FIPS standard requires encryption keys *not* not be stored in plaintext. The standard just does not make sense. An attacker, who can bypass file permissions to download the private key, can use the same method to modify stunnel or OpenSSL to save the key once it is decrypted.
If you can provide the passphrase over the network, you can as well provide the private key itself...
Mike
On 14.07.2015 01:35, Madhava Gaikwad (madgaikw) wrote:
Hello,
I am asking too much, but keyfile with stunnel is required to be stored on disk (I am aware about file permission applied) and is in plain text. Is there any way we can encrypt the keyfile and then store, and then subsequently ask stunnel to obtain the decryption key somehow and then use it.
For encryption/decryption of the key, stunnel (or some other program) can give network based ability(service over socket) to provide the key so key can be encrypted by the third party(who generates the config for stunnel). Stunnel config option will specify key is encrypted and therefore stunnel knows why and how to decrypt it.
Of course you will ask me to implement my own custom algo for this, but I am checking if anybody has thought about it or in such case, how they have worked on it. I was told, there is also basic level of FIPS compliance requirement that requires key not to be stored on disk in plain text irrespective of file permission.
Thank you.
Madhava
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users