This is part of The Pile, a partial archive of some open source mailing lists and newsgroups.
To: Kevin Schroeder <mirage@mirageworks.com> From: Fabrice Scemama <gesnet@scemama.org> Subject: Re: ssl encryption Date: Sat, 16 Jun 2001 04:30:23 +0200 (CEST) On Thu, 14 Jun 2001, Kevin Schroeder wrote: > This would make an interesting discussion because I've had the same question > come up in my mind. How do you encrypt things on your server without giving > out the passphrase? Is it even possible to keep the key in the same > location as the program using it and still maintain security? Yes, it's possible. To achieve this, you should use asymetric encryption, and *not* store the private key in the server. Then, the question remains : how can I have the server safely decrypt on demand ?! one possible solution could be to store the private key in a remote server, dedicated to the unique task of decrypting the sensitive data. A secure tunnel could be established between the two servers, so to communicate the encrypted text, and get back the decrypted text safely. You could even add security by storing the private key in a smartcard, and having the smartcard reader connected to the server. Decryptions would have to be done within the smartcard. It's completely possible, but you almost certainly don't want such CPU-expensive operations be done within a 8-bit smartcard ! ===