Private Keys as used by SSH servers, clients and generally by any cryptographic software need to be stored and manipulated securely. These may get replaced with smartcards soon, but in the mean time it appears to be an interesting use case.

All Unix systems that I am aware of do not allow secrets to be protected in a manner that I would feel is appropiate. A users compromised web browser could either read your private key file or talk to the very popular ssh-agent program and get your secrets out (not sure how popular distributions are configured, but it can be done).

The requirements so far are:

  • The secrets should not be available to general programs
  • The ability to use secrets for their intended purpose (signing/encryption/decryption/ssl streams)
  • Programs using decrypted data should be, by default, confined so that the data can't escape
  • Must be able to backupand restore secrets securely
  • Upgrading the agent software must be possible! using the backup/restore mechanism?

-- ?SamMason - 11 Jan 2007