[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-ssl
Subject:    [apache-ssl] Automatic startup of httpsd?
From:       Nick Whitelegg <bssnrw () bath ! ac ! uk>
Date:       2002-09-27 14:50:08
[Download RAW message or body]


Hello,

I would like to automatically start up httpsd without entering the
passphrase on reboot. On scanning the list archives and other stuff on the
net, the most frequently recommended way is to decrypt the key.

What are people's opinions on the security implementations of this? I
guess, to steal the decrypted key, people would need to hack into our
server as root, but if they did that they could access sensitive info
anyway.

The scenario is a webserver used for scientific calculation through which
people may submit possibly confidential data. It has an authentication
certficate from Thawte.

So what do people recommend? Decrypt the key and protect it in the normal
file-permissions based way, or some other approach? Can't think of another
approach which wouldn't involve storing the passphrase in a file, though -
equally potentially insecure.

Thanks,
Nick


-----------------------------------------------------------------------------------
to unsubscribe, send a blank email to: apache-ssl-unsubscribe@lists.aldigital.co.uk

[prev in list] [next in list] [prev in thread] [next in thread]