[asterisk-dev] Encrypted RSA keys

Tzafrir Cohen tzafrir.cohen at xorcom.com
Mon Nov 12 15:26:25 CST 2007


On Mon, Nov 12, 2007 at 10:17:44PM +0100, Michiel van Baak wrote:
> On 15:02, Mon 12 Nov 07, Tilghman Lesher wrote:
> > We're considering some renovations to the res_crypto module, and we're
> > coming across the fact that OpenSSL does encryption of RSA private keys
> > in a very wacky way, that we're unable to reproduce in non-openSSL code.
> > However, it is the case that initializing the keys, by typing in passphrases
> > at every restart of Asterisk is very manually-oriented, certainly not
> > something most people would want to depend upon (especially if you're
> > running a GUI or the safe_asterisk shell script).
> > 
> > So we're wondering... how many people are actually using encrypted private
> > RSA keys?  Anybody?  If the ability to encrypt the keys went away in a future
> > version, how concerned would you be?  The security paranoid are probably
> > using encrypted filesystems anyway, so the lack of an additional encryption
> > layer around private keys stored on that filesystem shouldn't be a big deal.
> 
> Why would you get rid of them ?
> I think it's a great feature to allow encrypted keys.
> 
> I think removing it would be the same as removing password
> support from ssh keys

In what scenario do you start Asterisk manually?

In what scenario where you don't start Asterisk manually does encrypting
the keys help?

-- 
               Tzafrir Cohen       
icq#16849755              jabber:tzafrir.cohen at xorcom.com
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir



More information about the asterisk-dev mailing list