Actually that isn't quite right. A properly configured and tuned RBAC <https://en.wikipedia.org/wiki/Grsecurity#Role-based_access_control> policy, when combined with PaX <https://en.wikipedia.org/wiki/Grsecurity#PaX>, can very effectively limit all userspace activity (including root access!). It helps if you can also use a hardware security module <https://en.wikipedia.org/wiki/Hardware_security_module> to protect your key material. On Tue, Jul 21, 2015 at 1:48 AM, Salz, Rich <rsalz at akamai.com> wrote: > > If some one build their own openssl and add few lines to print the keys > during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH, > may result in compromising the security of the keys. > > Can anyone other than root do this? You have to trust root. They could > just cat your keyfile anyway. > > _______________________________________________ > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/20454e24/attachment.html>
