0

I am responsible (among many other things) for managing TLS/SSL certificates for a couple dozen or so websites for a large multinational. Some sites are hosted on Apache, some are on IIS. I use openssl to generate private keys and csr; once certificates are issued by the certificate authority, if necessary, I convert them to PFX (for IIS).

As a result of this work, I have private keys and public certificates for nearly 2 dozen large public websites stored on my work laptop. The disk is encrypted and the login process requires username/password AND fingerprint scan, however I am still concerned about the safety and security of these. Frankly, I'm not so much worried that a malicious actor may get access to my laptop, but rather that I may loose the data due to theft/loss of the laptop or even due to a hardware failure. The other issue is that if I am unavailable for whatever reason (holiday?), other people in admin roles wouldn't have access to these certs.

I don't feel comfortable to sync these to a public cloud (AWS S3, Azure storage accont, onedrive - we do have onedrive enterprise). The other options I considered were git repo (onprem git server), on-prem shared storage, Azure vault, or simply compress the whole directory with all the certs with encryption (e.g. 7z with encryption) and then uploading/storing remotely.

My requirements are:

  • Easy access to all of these files
  • Any storage, especially outside my immediate working directory, is encrypted
  • Other trusted people can access the certs in my absence
  • Ability to bulk sync files with whatever remote location it may be
  • Support for Windows and Linux
  • (Optional) versioning, i.e. when I get a new cert, I have the ability if needed to access the old cert

What are my options and best practices for this work?

Aleks G
  • 221
  • 1
  • 5

1 Answers1

0

I like commercial password managers like 1Password. A great advantage is that access can be shared so that others have access for administration or data recovery. They meet all your requirements, and also provide access history.

Also, these vendors have passed audits for a number of security frameworks, which provides confidence in the security of your data. This also is useful to meet your own compliance objectives, if your own company has security compliance requirements.

Your last idea is best practice IMHO, and what I suggest: "simply compress the whole directory with all the certs with encryption (e.g. 7z with encryption) and then uploading/storing remotely." So, just upload to 1Password, along with the key, and restrict access to appropriate staff. The zip folder structure in a zip is self-documenting and can be easily extracted anywhere. And no coding or resource management - all SasS. I/we have enough to manage - I like to leverage a good/cheap SasS solution, and I don't have to worry about the plumbing at all

https://1password.com/

Note: There are other vendors; I just highlighted one I use and am familiar with.

Rodrigo Murillo
  • 1,927
  • 11
  • 17
  • I do use password manager - for password. I can't see any possibility of storing multiple files, in groups, giving selective access to groups of files - and being able to bulk sync files with a remote storage - with a password manager. Afterall, I'm not storing passwords, I'm storing files - groups of files, some of them binary. – Aleks G Mar 24 '22 at 15:45
  • It does support files, and can be grouped by vault - but bulk sync no. It handles backup, so you may not need bulk sync – Rodrigo Murillo Mar 24 '22 at 16:06
  • Your last idea is best practice IMHO, and what I suggest: "simply compress the whole directory with all the certs with encryption (e.g. 7z with encryption) and then uploading/storing remotely." So, just upload to 1Password, along with the key, and restrict access to appropriate staff. The zip folder structure in a zip is self-documenting and can be easily extracted anywhere. And no coding or resource management - all SasS. I/we have enough to manage - I like to leverage a good/cheap SasS solution, and I don't have to worry about the plumbing at all. – Rodrigo Murillo Mar 24 '22 at 17:42
  • If you store them in a encrypted compressed archive, make sure the encryption is actually secure. A lot of zip implementations still use the old Zip 2.0 encryption (aka "traditional" or "legacy" encryption), which is is breakable, although not trivial ([1](https://reperiendi.wordpress.com/2020/04/03/how-i-recovered-over-300k-of-bitcoin/), [2](https://www.youtube.com/watch?v=iFS25HfTe20)). – Gordon Davisson Apr 23 '22 at 23:09