key storage

[Paul Rubin]

Ajay <abra9823 at mail.usyd.edu.au> writes:
> my question is how should these be stored on the server? encryption is
> the best solution, but if i encrypt them with another key, the question is
> where does this key get stored?

It's a hard problem.  Really serious systems use crypto coprocessors
with hardware-encapsulated keys.  A cheesy substitute is to store the
keys in a running process on the same server, that your cgi connects
to through an AF_UNIX socket when it wants to encrypt something.  I
have a Python module that does stuff like that.  You enter a
passphrase when you start the process, and then it keeps running.  Of
course you have to re-enter the passphrase on reboot or something like
that.

Slightly out-of-date docs are at:

  http://www.nightsong.com/phr/crypto/crypto.txt

I never released this thing but I guess I could do so pretty soon.  I
will not make any promises about its security.