On Jan 15, 2012 12:58 PM, "Mauro Santos" <registo.mailling<registo.mailling@xxxxxxxxx> @ <registo.mailling@xxxxxxxxx>gmail.com <registo.mailling@xxxxxxxxx>> wrote: > > On 15-01-2012 16:38, Audric Schiltknecht wrote: > > > > Upstream says (http://<http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL> redmine.lighttpd.net <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL> /projects/1/wiki/ <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL> Docs:SSL <http://redmine.lighttpd.net/projects/1/wiki/Docs:SSL>) that > > the SSL password must be enter manually on each lighttpd start (or to > > remove the passwod from the key file, which I don't want to do :)) > > Just out of curiosity (and maybe learn something) why not? If you have > the certificate and the password stored together then I'd say the > password is not protecting much. I'm not aware of a reason to lock the keyfile ... fairly standard AFAIK. Though if you wanted to get fancy, you could probably store the pass in the kernel and use some request-key/keyctl trickery to pull it out when needed ... would need to be loaded at least once on boot, but its the same place SSH/GPG keeps your keys IIRC, so it's safe ... ... maybe enc the password with your TPM, then decrypt into kernel keyring, then load into openssl when requested ... :-O Or just unlock the keyfile. -- C Anthony
