0

What is the best place to store certificates and keys which are confidential and sensitive?

As I understand LUKS is fine and kernel transparently handles encryption/decryption. Also, the LUKS volume could contain anything and everything like a normal file system.

On the other hand, I came across softhsm from OpenDNSSec which offers similar security as that of a hardware HSM except physical security. Also, moving forward if at all I wish to use TPM or smartcard, I could extend the current codebase using PKCS#11 interface.

Which of these security control is superior for the purposes of storing keys and certificates?

Also currently, the key used for encrypted volume is a function of a couple of critical/important parameters that are unique per device which is used for decrypting the volume. Is it weakening the security by means as one could see how the key is derived is visible in script files(plaintext)? my current hardening for this is by auto-starting the job as root and specifying ACL for the script so that other users would not be able to view the file.

Community
  • 1
Baranikumar Venkatesan
  • 635
  • 4
  • 12
  • Did you try to edit your question as an anonymous user? There is an edit pending, although I am not sure if it's by you or someone else. –  Feb 18 '21 at 10:22
  • yes. I did edit the question. – Baranikumar Venkatesan Feb 18 '21 at 11:01
  • 1
    Thank you. If you log in beforehand, then your edits won't require approval. –  Feb 18 '21 at 12:29
  • *Which of these security control is superior for the purposes of storing keys and certificates?* Only you can answer this - one benefit of LUKS is the multiple key-slots that allow you to open the volume (giving you multiple 'backup keys' to unlock input key material) as well as *Argon2* from the cmdline (LUKS2). The downside is that once you unlock it, the contents are available to any process running as the user for which the volume is mounted (though a soft-HSM potentially has the same problem). Please edit your question to specify what your requirements are for the encrypted store. – brynk Mar 01 '21 at 03:12

0 Answers0