Encryption

Specifies the method by which service keys are encrypted.

Warning: This configuration MUST NOT be modified after initialization of the service.

None

Does not encrypt key files.

Warning: This configuration is strongly discouraged for production.

Encryption: none

RSA

Encrypts key files using an asymmetric key pair.

Encryption: Rsa.{
    Key: "path_to_private_key"
}

YubiKey

Encrypts key files using an asymmetric key pair stored on YubiKey hardware.

Encryption: YubiKey.{
    Serial: \x0000_0000
    Slot: R1
}

YubiHsm

Encrypts key files using an asymmetric key pair stored on YubiHsm hardware.

Encryption: YubiHsm.{
    # TBD
}

Key Generation

Note: The service uses binary PKCS#8 DER files for RSA.

openssl genpkey -algorithm RSA -outform DER -pkeyopt rsa_keygen_bits:2048 -out key.der

Best Practice

The private key file should be stored in a directory outside of the service and only accessible by the service user.

sudo mkdir /cert/ryouiki
sudo mv key.der /cert/ryouiki/
sudo chown ryouiki:ryouiki /cert/ryouiki /cert/ryouiki/key.der
sudo chmod 600 /cert/ryouiki /cert/ryouiki/key.der

Encryption

None

RSA

YubiKey

YubiHsm

Key Generation

Best Practice

YubiKey

YubiHSM