2

As with many systems (primarily websites) there are automatic components that run on a server and are not user based (such as crons) that don't have the opportunity for a real person to input a secret password to decrypt the secrets that are used. Bearing that in mind, without a secret stored in a humans head, how can an automated system secure the keys it uses so that it protects the secrets from access by anyone (hacker or authorized user) browsing the server source?

The best method I can come up with is for the system to only use temporary access keys that get cleared when the process is complete, with the resulting data stored using asymmetric encryption for the user. Aside from that, are there any other methods for allowing secure automated processing on encrypted data?

ZnArK
  • 587
  • 1
  • 5
  • 10
topherg
  • 209
  • 2
  • 9

1 Answers1

3

There are a large number of ways to do this. Simplest is this:

  • A key thing you need to remember is that you don't need to store authentication keys or tokens where an attacker can get them!

On a well configured webserver you have public and private environments, and they can be well segregated.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320