Protecting The Cybersecurity Crown Jewels: Encrypting The Private Key
It does no good to create a 2,048-bit RSA key pair for your systems, and then protect it with “Qwerty123”
There have been a number of recent hacks — including Solar Winds — which has involved an intruder discovering the private key used to sign software, and then inserting a back-door into the software. When updates are then pushed out, the software update is seen as being trust worthy, as it has been signed by the private key of the software company, and proven with their public key.
Along with this, the loss of a private key could result in an intruder gaining access to a public cloud infrastructure or even to a private GitHub (as SSH authentication with the private key is often used). The access to the private key can also allow a company to be impersonated, and to setup trusted fake sites (as the private key will prove the validity of the web site).
The protection of the private key is thus important, and it should never be stored in an unprotected format. This private key is part of a key pair and is typically an RSA or an ECC key. The private key is used to sign data, and the public key then proves it, or a public key is used to encrypt data, and then the private can decrypt it:
