The private key is a text file created during the Certificate Signing Request (CSR) using a unique random number. You should always keep it in a safe place and never share it with anyone. Even if it’s just a text file, it’s essential for data integrity. You can damage your reputation beyond repair if your private key is compromised. Not to mention the financial losses you may incur. In this article, we’ll show you private key storage best practices.
Table of Contents
- Where to Store the Private Key?
- How to Protect the Private Key?
- What Happens When a Private Key Is Compromised?
- What to Do if You’ve Lost Your Private Key?
The backbone of Web encryption is Public Key Infrastructure (PKI) – a system that provides secure communication over a network by using a combination of public and private cryptographic keys. These keys are generated together as a pair and work in tandem during the TLS handshake process. The public key is used to encrypt, and the encrypted private key is used to decrypt the data.
While public keys are available to anyone as part of your SSL certificate, the private key is stored on the server and kept secret. When you fill in a form with personal information and submit it to the server, the public key encrypts the information and protects it from cyber-attackers. Once it reaches the server, the private key decrypts this information. The key pair ensures that nobody else can decode your sensitive data. In the next paragraphs, we’ll show you how to store private keys securely.
Where to Store the Private Key?
Generally, the best way to store private keys is to generate them along with the CSR on the server where you intend to install the SSL certificate. This way, you eliminate the risk of vulnerability during the transfer from one machine to another. However, sometimes you may need to create the private key via an external CSR generator tool. For this reason, there are special files called key stores that can safely store your public and private key pair.
Locally with Keystores (PFX and KS files)
PKCS#12 (.pfx or .p12) and .jks* (created by the Java keytool) are special files containing your public/private key pair. You can store these files anywhere, including remote servers. Their main security appeal is a password that protects the contents. Anytime you want to use your private key, you have to enter a strong password. Be sure to create a sophisticated, random password if you use this method.
Another benefit of such files is that you can easily distribute copies if multiple people need to use the certificate. Just make sure you completely trust them and their intentions when sharing the private key password.
Hardware Security Module
If you’re looking for a bulletproof way to store your private keys, then you should go with physical devices such as USB Tokens, Smart Cards, or Hardware Security Module (HSM). With hardware storage devices, the attackers must first gain access to them, which is significantly more unlikely in the real, physical world. The trick here is not to leave portable devices such as USB Tokens and Smart Cards connected. As for HSM, such a cryptographic hardware storage device, in both theory and practice, should offer the best protection but are expensive and impractical for most users.
How to Protect the Private Key?
Storing private keys securely is essential for protecting sensitive information and ensuring data confidentiality, integrity, and authenticity. Private key storage best practices aren’t limited to physical or virtual locations. Extra safety measures and key management tools can add another layer to private key protection. Follow the crucial steps below, and you’ll never have to worry about your private keys’ security.
1. Use a Trusted Key Management System (KMS)
A KMS is a centralized system that provides secure storage, management, and protection of cryptographic keys. It allows you to create, rotate, and revoke keys and offers access controls to ensure that only authorized users can access the keys.
2. Encrypt the Private Key
You can encrypt private keys using a robust encryption algorithm such as AES (Advanced Encryption Standard) and store the encrypted key in a secure location. The U.S. government uses AES to protect classified information.
Add a strong passphrase to encrypt the key, and keep the passphrase separate from the encrypted key. This way, even if hackers gain access to your private keys, they will have to guess the password and decrypt the private keys, giving the owner enough time to identify and eliminate the breach.
3. Back-Up Your Private Keys
Keep backups of the private key in case the original key is lost or compromised. However, ensure you store private key backups securely, such as in a safe, off-site location. Treat your backups as if they’re the original key.
4. Limit Access
Only grant access to the private key to authorized users who need it to perform their tasks and duties. Use access controls and logging mechanisms to track access to the key. Ensure your company has a clear key management policy and that employees are aware of cyber-security threats.
5. Verification Monitoring
Monitoring and verifying your private keys’ access control process is essential in securing your keys. Regularly check who has access to private keys to catch any unexpected changes or unauthorized access attempts. Use software to automate this process whenever possible, or hire an independent third party to perform an audit. Effective verification monitoring keeps your private keys secure and prevents any unauthorized access.
What Happens When a Private Key Is Compromised?
Sometimes, despite your best efforts, your private keys may become compromised. If you suspect or detect a security breach, you should submit a certificate revocation request to your Certificate Authority. Depending on your particular situation, the CA may have up to 5 days to revoke the certificate. If it finds clear evidence that the certificate request was not authorized, the certificate must be revoked within 24 hours.
What to Do if You’ve Lost Your Private Key?
You don’t have to submit a revocation request if you’ve accidentally deleted the file and there’s no backup. In this case, all you have to do is contact your CA and ask for your certificate to be reissued. However, if your private keys may fall into someone else’s hands as a result of a lost or stolen hard drive, it’s safer to ask for certificate revocation.
The private key is a critical component of your SSL certificate and data protection. While no one is immune to data breaches, taking the necessary preventive measures reduces the risk associated with a compromised private key. Follow private key storage best practices to avoid high-impact security incidents that may have a lasting effect on your business operations.