Re: Remote key generation

From: Alice Wonder <alice_at_librelamp.com>
Date: Thu, 14 Mar 2019 12:56:45 -0700

On 3/14/19 12:30 PM, David L Neil wrote:
> Is it possible, and are there any security objections to, generating
> keys and opendkim keyfiles (etc) on one machine, for deployment to another?
>
>
> What I would like to do is:
> 1 use my personal machine to keep a list of opendkim deployments on
> multiple physical servers
> 2 periodically generate new keys
> 3 build the necessary files locally (BASH/Python script)
> 4 deploy at appropriate times-of-day
>
> Assume all hardware is 64-bit, the OpSys may differ between CentOS7 and
> Fedora29, time zones differ hugely. The 'generator' machine does not run
> opendkim, the email servers do. (um, well, yes...)
>
> Better still: has it already been done/is there some web-based service
> I've not yet found?
>

The public has has to be in DNS and the private key just has to be on
the server that does the signing. Where it is generated doesn't matter.

I frequently generate private keys for all kinds of crypto uses on my
local workstation rather than on the server where they are deployed, it
avoids any possible issues of an attacker finding a way to monitor the
entropy source or key generation process on the remote server making it
easier to brute force the private key.
Received on Thu Mar 14 2019 - 19:57:04 PST