How to properly secure certificates and keys?

Eugeny · January 17, 2022, 2:56pm

Mosquitto library uses certificates and keys for connection, this is great. But as far as I see it requires paths to the respective files. This means the security data is stored in the file system. This means if system is stolen and booted, these certificates/keys can be also stolen, even if they are located on encrypted volume (which must be mounted to provide access for mosquitto_tls_set()).

What are the recommended options to protect certificate/key data if system is stolen? Apart from setting user password/restricting console usage? Any way supplying security data to the mosquitto client library without file system in the middle?

roger.light · January 17, 2022, 3:21pm

You can optionally use your own openssl SSL_CTX instance instead of the one the library creates, this gives you complete control of what is loaded into that instance, and how.

/* Provide my own SSL_CTX: */
mosquitto_void_option(mosq, MOSQ_OPT_SSL_CTX, my_ssl_ctx);
/* Don't use any of the default settings, in particular don't load certs: */
mosquitto_int_option(mosq, MOSQ_OPT_SSL_CTX_WITH_DEFAULTS, 0);

Does that help?

Roger

Topic		Replies	Views
Unable to use encryption Community Q&A	9	78	December 11, 2024
Configurate Mosquitto Broker to work over ssl inside a local private network Community Q&A	5	559	October 13, 2021
Still being able to connect to broker after enabling require_certificate Community Q&A	3	3828	August 18, 2021
Does Mosquitto mess with file ownership? Issues	3	314	October 14, 2022
How to set up libmosquitto with TPM (tpm2tss) Tech Talk	4	872	July 8, 2022

How to properly secure certificates and keys?

Related topics