Good morning, I've been thinking about how to properly protect private key in a world
where HSM is not an option. Currently a key pair is generated
(
https://github.com/keycloak/keycloak/blob/c0a1090733975977179662dd44fc3ac...)
to cryptographically sign tokens
(
https://github.com/keycloak/keycloak/blob/0fe9318fa414d06fc39c83d91c78eff...)
and the private key is stored into the database.
Some of the possibilities to improve it:
# 1
- HSM or Java Security manager are perfect, but impractical for regular devs, that would
require a lot of maintanance (a dream)
# 2
- Entering a password for a PKCS#8/PBKDF2-derived key, also impractical assuming that
someone would be required to enter the password at each app startup
# 3
- Not bullet-proof solution, but store the key into a text file that only sysadmins and
the web server has access, doing our best with the usage of ACLs provided by environment.
I understand Bill's concern
(
http://lists.jboss.org/pipermail/keycloak-dev/2014-January/001089.html) but at the same
time, a file could have a very restricted access while the database is more acessible to
developers.
-
# 4
Generate the keys per session, instead of use it per realm (it must be tested/implemented
because that could slow down our server)
# 5
Leave it as is.
So what do you think? Ideas or tomatoes?
--
abstractj