Redis now seems doesn't support Encrypted SSL private keys because there is no option in config to pass it to the server.
A config option like (tls_key_passsphrase) helps in case of SSL private keys are encrypted.
Comment From: yossigo
Hello @SivaBu-kore, thanks for this input.
From my POV, the only incentive to support encrypted private keys is to improve security. However, simply storing the password in the configuration file pretty much defeats this purpose as again we have clear-text secrets on disk.
We can get some configuration through stdin (which is safe) or command line arguments (less safe, Redis rewrites argv but there's a window of time for exposure). However, those config parameters are still exposed through CONFIG GET or CONFIG REWRITE.
So, my take here is that before we address the specific SSL issue we need to come up with a secrets management scheme. Secrets would be configuration parameters that:
- Can only be provided through stdin, command line arguments or
CONFIG SET. - Are never returned on
CONFIG GET. - Are never written as part of
CONFIG REWRITE.
Some existing configuration parameters can also be considered secrets, but we cannot enforce that for backwards compatibility.
Comment From: joostdecock
From my POV, the only incentive to support encrypted private keys is to improve security. However, simply storing the password in the configuration file pretty much defeats this purpose as again we have clear-text secrets on disk.
There's another use-case: Unlike a clear-text key, an encrypted key could be checked in into git, or baked into a container image.
Obviously the points you raise remain valid. I just wanted to point out that adding this configuration option would allow keeping key+certificate under version control.
As such, I feel some sort of tls_key_passsphrase configuration option would add value even without other changes.
Comment From: yossigo
Thanks @joostdecock, this is a good point.
Comment From: funnyleo
When will this function be published,please