-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Madhava, I'm not sure which FIPS standard requires encryption keys *not* not be stored in plaintext. The standard just does not make sense. An attacker, who can bypass file permissions to download the private key, can use the same method to modify stunnel or OpenSSL to save the key once it is decrypted. If you can provide the passphrase over the network, you can as well provide the private key itself... Mike On 14.07.2015 01:35, Madhava Gaikwad (madgaikw) wrote:
Hello,
I am asking too much, but keyfile with stunnel is required to be stored on disk (I am aware about file permission applied) and is in plain text. Is there any way we can encrypt the keyfile and then store, and then subsequently ask stunnel to obtain the decryption key somehow and then use it.
For encryption/decryption of the key, stunnel (or some other program) can give network based ability(service over socket) to provide the key so key can be encrypted by the third party(who generates the config for stunnel). Stunnel config option will specify key is encrypted and therefore stunnel knows why and how to decrypt it.
Of course you will ask me to implement my own custom algo for this, but I am checking if anybody has thought about it or in such case, how they have worked on it. I was told, there is also basic level of FIPS compliance requirement that requires key not to be stored on disk in plain text irrespective of file permission.
Thank you.
Madhava
_______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVpmI9AAoJEC78f/DUFuAUGiEQAL0PUZNLvVNuh2YgDeQgiJVS LbQ3JoiDCUsT+5AzlSFQX2nmcnAH4iDFvK1vQj8TKYzODTcUzJkVxuutKGOOra3U rypMAm3R0ZUEn5Z43GLVSC7zIeX5z49xkjyDe9oDfrIMy0Q28wfkjBqMKsGc5b5w 7uwBPy4Gq1i/ZYRprSXmONtUpIXcF1iSCFV9imG2Yiwd4e+VxSfhG6LnpXhnKnCb Heju8JRXQDiWfZn11Jiy7OM7sA4GhA/bwe71uFB9UqO2mkX34lIazVnaYUiyxRJn jpASNL0+pck3qWyawYOuhGbgiCrcAYh0BTPBMv2Xf2rDwXJyJvBeODzvTlMTuQe2 L2rV7yWCWt4B9KySfgj8hckyvdTm3/UHhNnc9xuf0wTkxxEZciswddPEzGamuxam dRhijzLx63TU2wBAjZ2EPjnXvqfxFdhZhC1ifyVNwVabKtoIbAohkcPvtUYaACZ5 2AFbXv0M6ePUJoAWwHNv76GjFyogDNW/DvLhRpDlOghQ3z7IqdD0ZXPAHyOzTy3k F7d/N0DN73PR+QI8DDa7LXlv+qLuVBSDt/hhUtNqrnx34uXqYTJEbASKcZXEYlkb 2Fy2hyzcMHLxrC/gt70jTRUSsImVApZcExcVCMF+TSplAqSpUYYF8SdbKqYfFrw3 Y/22QDLIXpEMP4SXFX46 =tliJ -----END PGP SIGNATURE-----