I usually worry about memory corruption with leaving my public and private keys in memory for access throughout my applications. I'm very new to Go and I'm wondering what the best practice is for making these keys available.
Is Go safe enough that I should be able to store these in memory, no problem. Or should I only keep my public key in memory for validation and load my private key every time I need to sign a token?
分享 What you're probably looking for is called a Hardware Security Module (HSM). With AWS and Google Cloud the HSM is wrapped and access is provided via a Key Management Service API.
This essentially separates your keys from your server in a similar way a Yubikey affords protection for laptop/desktop encryption keys.
AWS provides both "CloudHSM" and "KMS";
Google Cloud provides "Cloud KMS"
If you use these services it means you submit raw data to the API and receive back encrypted data or to decrypt submit the encrypted data. In practise this limits the ability of an attacker to steal your keys, offsite the data, and decrypt in bulk. Access Control is managed through IAM. If your sites compromised they can still decrypt the data on the compromised servers which requires that you monitor "normal" behaviour for KMS requests. It doesn't eliminate the threat but it can help minimise the impact.
分享
