How to change GELI passphrase on FreeBSD 11 Root-On-ZFS system with mirror RAID?
Swap devices are also mirrored and ancrypted.
I have /dev/ada0p5.eli /dev/ada1p5.eli and /dev/mirror/swap.eli devices.
Thank You.
I'm working with Apache2 and Passenger for a Rails project. I would like to create a self-signed SSL Certificate for testing purposes.
sudo openssl rsa -des3 -in server.key -out server.key.new
When i enter the above command, it says
writing RSA key
Enter PEM pass phrase:
If i do not enter the pass phrse, im getting the below error
unable to write key
3079317228:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:Yo
u must type in 4 to 1024 characters
3079317228:error:0906406D:PEM routines:PEM_def_callback:problems getting passwor
d:pem_lib.c:111:
3079317228:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382
Is it possible to generate a RSA key without giving pass phrase, since I am not sure how the /etc/init.d/httpd script will start the HTTP server without human intervention (i.e. If I give a 4 character pass phrase, it expects me to provide this while starting the Apache HTTP server).
I am using duplicity to perform backups on my server. Right now duplicity is encrypting the backup using a GPG public-private key system. I would prefer to encrypt the backup files using just a passphrase, so I don't have to try and keep up with secret keys. How can I configure the backups to be encrypted this way?
Thanks,
Mike
I currently use a server SSL certificate without a pass-phrase in order to allow Apache to start up unattended.
There are signs from customers to require us to protect the SSL certificate more securely. I'm not sure yet what they are aiming for, but for now I guess that they don't want an unprotected SSL certificate on the disk. I suppose I can't avoid having it in the clear inside Apache's memory but let's assume that's acceptable.
I came up with an elaborate system to keep the pass-phrase in the memory of a process on an internal server (i.e. not on the front-line web server) and hand it over to the front-line server using an Apache SSLPassPhraseDialog (http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslpassphrasedialog). The internal server will have to have the pass-phrase typed in to it when it starts, and we'll have multiple such servers load-balanced for high availability.
My question is:
- How do the "big boys" protect their SSL certificate? Do they just force their stuff to type the pass phrase on server restart or do they keep it unencrypted like the rest of us?
- My experience with open source is that there is a very good chance that someone has already solved whatever problem I face - is such a system available already?
- Would it be reasonable, from business level perspective, to just say that we keep the certificate unencrypted and just have rapid procedures to revoke it if stolen?
I have an existing public/private key pair. The private key is password protected, and the encryption may be either RSA or DSA. These keys are the kind you generate with ssh-keygen and generally store under ~/.ssh.
I'd like to change the private key's password. How do I go about it, on a standard Unix shell?
Also, how do I simply remove the password? Just change it to empty?