My name is Patrik Martinsson and I work as a system administrator at the Swedish Meteorological Hydrological Institute.
I'm looking for some advice regarding "safely" storing certificates with private keys on Linux clients running Rhel 6.4.
We have around 150 Linux client, all centrally managed by puppet.
Recently we made it possible for a client to acquire a certificate from a central scep-server.
That certificate including the private key will then be used to authenticate the client against our 802.1x network.
I'm just curious about if there are any recommendations regarding how to "safely" store the private key (or actually the password to the private key) on the client.
In Windows I know there's some sort of "certificate store" where you could store your certificate/keys (and the password i guess) and mark them as non-exportable (and yes, I also know that there are ways around it, so you can actually retrieve the private keys anyway if you have the know-how).
The way we are testing it right now, (on 2-3 clients) is to have the certificate and the key as a .p12 bundle and readable by everyone (since anyone who logs into the computer should be able to use the network), and then point NetworkManager to it. The .p12-bundle is password-protected, so if anyone tries to copy the .p12 bundle they also need the password (which is stored in clear-text by NetworkManager in the /etc/sysconfig/network-scripts/keys-Auto_ssid-file, since we checked the "Available to all users checkbox in NetworkManager". If we don't check that box, the password to the .p12-bundle would be available to the user).
Anyway, I'm just looking at ways to "safely" store the bundle (same goes here, actually its the password to the private key I want to store in a safe manner) in some "smart way" that doesn't make it obvious to a regular user how to steel a certificate incl. the private key and the password.
Which today would be,
- Boot livecd,
- Copy certificate and 'cat /etc/sysconfig/network-scripts/keys-Auto_ssid-file'
We were thinking about maybe using encfs (since its simple and in userspace) on a folder, where we then would store the password to the key (and then point the /etc/sysconfig/network-scripts/keys-Auto_ssid-file to that location).
We would then unlock the folder with the password at boot. But that doesn't *really* add any extra security, it would only add some complexity regarding managing our clients. The method to get the actual password to the private key would then be something like,
- Boot livecd
- Copy certificate
- Notice that '/etc/sysconfig/network-scripts/keys-Auto_ssid-file' is a link to some encrypted file,
- Find the "start-script" that actually unlocks the folder, run it manually and then copy/cat the password-file.
It adds the step "Find the start-script that unlocks the folder", but anyone with some basic Linux-knowledge would figure that out.
Any ideas are more then welcome,