Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how does big companies like google, amazon, manage their private key infrastructure?

Tags:

security

key

amazon-web-services

private-key

pki

one of my company's employees private key was compromised and it had the disastrous consequences to the company. now the company is planning to have the public/ private key management. Im wondering how the big companies like google, amazon do the key management. do they use third party application for centralization? or they do it with the set of PKI policy to be implemented in the organization. how they manages the key life-cycle?

thanks for your time.

like image 333
user3392188 Avatar asked Apr 18 '14 08:04

user3392188

2 Answers

I believe they do it in very different ways, but there are many solutions for this. For the AWS perspective, i'd suggest you take a look at AWS Cloud HSM, a hardware security module provisioned as a service for secure key management: https://aws.amazon.com/cloudhsm

like image 144
Julio Faerman Avatar answered Oct 13 '22 10:10

Julio Faerman

If you are REALLY paranoid about security, you do not store the private key on the filesystem, you store it in hardware. A Hardware Security Module (HSM) from a company like SafeNet or Thales/nCipher is a physically hardened security appliance that is designed to product encryption keys. Once the keys are generated on the HSM they cannot be removed. That is, you can not extract the key and copy it off somewhere else to be used for malicious purposes. Additionally, they have hardened operating systems and software designed to prevent an attacker from being able to hack into the appliance. Too many unsuccessful logins? The device securely wipes its contents. Try to pry open the box to remove the flash memory holding the keys? There is epoxy on the physical hardware components and you will end up destroying them.

These devices also typically include cryptographic accelerators to increase the speed at which cryptographic operations are performed. They also tend to include standards-based APIs, such as PKCS#11 or JCE so it is easy to integrate with other software, such as Apache or your Java JVM.

An HSM is not cheap, but if you are really concerned about the security of your cryptographic material, this is how you protect it.

like image 33
Shadowman Avatar answered Oct 13 '22 12:10

Shadowman
Sign in to Comment

Related questions

Private key of keygen tag
SYN Cookie Network Server Security
unable to use the string "execute(" in GET or POST
Monodroid WebView Authentication for SSRS webpage
SecurityComponent black-holing my controller test case
Weird apache/PHP POST error
ASP.NET WebApi - How do I "allow", but not "require" client certificates?
Security in embedded javascript and HTML
Is my websocket's server origin checking safe?
Security with Play! from Outside Application
How to use a Custom Principal in a custom security realm (Glassfish)?
Open Source Static Source Code Analysis Tool (Security Oriented) For Java
Making a Same Domain iframe Secure
how to deal with passwords securely within your application
Flash vs Native Webcam Permissions in Chrome 28
Security Risks of Including a 3rd Party iFrame
Java 7u45 Security Warning: Allow access to the following application from this web site?
Is it possible to use reCAPTCHA without iframe and any javascript?
How to make each user access resources at a specific location according to their authority/role in JAAS?
Reading data from a security token in a browser

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!