I'm trying to use crypt to encrypt some configuration files. Under the hood, crypt uses PGP to do the encryption. The readme states:
In order to decrypt a value, your application will need access to the private key. We recommend putting the private key on the server and protecting it with standard host level security.
What does it mean by protecting it with "standard host level security"? Does this just mean ensuring that file access permissions are restricted?
Security is often applied in layers, so that if one layer is compromised the other layers will still provide protection. Host level security refers to the layer of security applicable to hosts - primarily related to the operating system, but also to the BIOS and other systems. Other layers include Network and Application security.
Some examples of the vulnerability categories for hosts are provided here:
https://cs.uwlax.edu/~riley/CS555Sum10/readings/3.1.pdf
where they list:
- The computer must be secured physically.
- The O.S. most likely needs to support multiple users and manage their authorizations.
- The O.S. most likely must manage process authorization in a multi-tasking environment.
- Some O.S. provide users remote log-in, which introduces unique vulnerabilities.
- The O.S. must manage memory as an asset to be used by processes.
- The O.S. must provide a secure file system.
- The O.S. often provides for certain forms of security related to traffic to its network interfaces.
- The O.S. must manage permissions that are granted to application software.
So host level security is more than just file access permissions, and considers the security of the host overall.
