Securing private keys with ACL


#1

In order to preserve this service as is, fast, easy, free and secure, I think we (all users) should consider matter of securing private key files seriously. Please share your tips if any, I will start:

One shall never use UNIX file permissions higher than 0600 (r--------) for private key files. If your private key have to be shared with multiple services which belong to different groups (like Apache and MySQL), You should consider using ACL to create new group, add users to this group and change ownership to newly created group…


#2

First point is that it should be readonly for users and no others and this is 0400 and not 0600 (rw-------).
You do not always need to create an new group. You can also use setfacl to give read permissions to
different users.
If you want the be more secure you can use an system that support encrypted private
key and the server ask for the password on startup.
Next level of security would be an hardware key module.
-> If this is to expensive for you you can run an sign/encrypt service on an raspberry that only support these to operations over an cross over cable. So an attacker would not be able to gain access to the private key.