Encryption at rest

[taythebot]

This looks like an awesome project and we've been looking for a solution just like this! We're currently using Netflix Lemur for certificate management and would love to switch over to this project. However one concern/requirement we have is encryption at rest. Is there any plan to support this? This would be a very important part of keeping ours and our customer's certificate secure!

[jvanasco]

Thanks for the kind words. I'm sorry to disappoint, but this feature isn't planned. I'm open to PRs for it as a configurable option, but we don't have the need for this in-house (and don't want this enabled by default for performance concerns). I understand that Agency Clients and Enterprise IT Policies often require this as part of their vendor agreements, but in-house use cases do not.

Two of the (many) reasons why this wasn't part of the project's design:

1. Keys are stored by the 'official' clients as plaintext on disk, with access via system permissions. [This project stores data as-securely-as official clients]
2. Keys are served in response to a domain name [This project exposes data less-securely-than official clients]

Aside from a handful of functionality features/bugfixes, my immediate focus is on improving security on the second point -- as this is the backend for dynamic SSL autoloading of the companion openresty plugin. Storing the data as encrypted doesn't offer much of a security improvement, as everything needs to be exposed as plaintext by design.

[taythebot]

Thank you for the reply. If we decide to use this we'll definitely try to integrate encryption at rest and make a pull request!