[keycloak-dev] Storage protection

Good morning, I've been thinking about how to properly protect private key in a world where HSM is not an option. Currently a key pair is generated (https://github.com/keycloak/keycloak/blob/c0a1090733975977179662dd44fc3ac...) to cryptographically sign tokens (https://github.com/keycloak/keycloak/blob/0fe9318fa414d06fc39c83d91c78eff...) and the private key is stored into the database. Some of the possibilities to improve it: # 1 - HSM or Java Security manager are perfect, but impractical for regular devs, that would require a lot of maintanance (a dream)   # 2 - Entering a password for a PKCS#8/PBKDF2-derived key, also impractical assuming that someone would be required to enter the password at each app startup # 3 - Not bullet-proof solution, but store the key into a text file that only sysadmins and the web server has access, doing our best with the usage of ACLs provided by environment.  I understand Bill's concern (http://lists.jboss.org/pipermail/keycloak-dev/2014-January/001089.html) but at the same time, a file could have a very restricted access while the database is more acessible to developers. -  # 4 Generate the keys per session, instead of use it per realm (it must be tested/implemented because that could slow down our server) # 5 Leave it as is. So what do you think? Ideas or tomatoes? -- abstractj