Optimal setup for corporate keys
ndk.clanbo at gmail.com
Mon Jul 20 09:12:08 CEST 2015
Il 20/07/2015 02:44, F Rafi ha scritto:
> We will have decryption processes on multiple servers. So if one server
> happens to get compromised, I want to avoid the disruption of reaching
> out to 40 partners to exchange keys again. We would only reach out to
> the affected partners with new keys.
If possible, I'd go for the HSM route (openpgp card or FST-01). This
way, if a server gets compromised remotely, the attacker can not get a
copy of the key (but he'll be able to use it as long as his activity on
the server is not detected!).
If the attacker obtains physical access to the server, you're toasted
Just my .02 ...
More information about the Gnupg-users