|
|
|
|
|
|
by starekrow
3119 days ago
|
|
|
I use it to store database passwords and AWS API keys on EC2 instances that are running web servers. When combined with a dead simple key distribution client/server setup, you can sleep a bit better knowing that even if someone managed to copy the entire hard drive, they wouldn't get your keys. Of course, if they get root on the box in operation it's all over, but anything short of that should be survivable. It beats the hell out of writing them all in the clear to "config.php" and checking that in with the rest of your site source. I've also used similar code to manage an encrypted file store for a small business - since each file gets its own locks (essentially a cryptographic ACL) and each attached key is publicly identified, it's easy to see who can read (or change) any given file. Being able to remove lockboxes without decrypting the data means that a sysadmin can strip access from someone who leaves the company without needing an all-powerful "root" key. |
|
|