It appears that Java Keystore is often used by web server using a configuration file, with the password opening the JKS written in it and also the password protecting the specific entry.
How could that be considered secure ? With this scheme, the "secret problem" has moved to the file. Even if the file is protected by user rights, it needs to be encrypted, doesn't it ? But that would mean that each time webserver is started, admin must enter a password to generate the symmetric key (PBKDF2) and decrypt the file ?
I would like to know more about how this is managed in secure way.
Aucun commentaire:
Enregistrer un commentaire