In the first post in this series, we describe several approaches to improving the security of your SSL private keys. The post finished with a demonstration of a remote password distribution point (PDP) used to securely share encryption passwords with NGINX instances.
Secrets management systems like HashiCorp Vault operate in a similar fashion to that sample PDP:
- They use a central (or highly available and distributed) secrets service that is accessed using HTTPS or another API
- Clients are authenticated by authentication tokens or other means
- Tokens can be revoked as required to control access to the secret
In this post, we show how to set up HashiCorp Vault to distribute SSL passwords. For even more security, you can set up an external hardware security module (HSM).
To completely eliminate on‑disk storage of SSL certificate‑key pairs, see the third post in this series, Using the NGINX Plus Key-Value Store to Secure Ephemeral SSL Keys from HashiCorp Vault. It explains how to generate ephemeral SSL keys from HashiCorp Vault and store them in memory in the NGINX Plus key‑value store.
This post applies to both NGINX Open Source and NGINX Plus. For ease of reading, we’ll refer to NGINX throughout.
Using HashiCorp Vault to Protect SSL Private Keys
The instructions in this section set up a central PDP server using Vault to distribute SSL passwords. They are based on DigitalOcean’s instructions; modify them as necessary to comply with your own Vault policies.
In our example, each remote web server has a unique authentication token. These tokens can be used to access secrets in Vault’s secret/webservers/ path, and we store the SSL passwords in secret/webservers/ssl_passwords.
We will see how to secure the tokens, and how to revoke individual authentication tokens when necessary.
Download, Install, and Initialize HashiCorp Vault on the PDP Server
- Follow the DigitalOcean instructions to download and extract Vault on your PDP server. We’re using the following sample /etc/vault.hcl file to make Vault remotely accessible, and to disable TLS (for ease of use when testing):
- Start Vault using the startup scripts (if you created them), or manually:
- Initialize Vault and obtain the Initial Root Token:
- We need to provide the Initial Root Token in many of the following commands. For convenience, we assign it to the
root_tokenshell variable:
Store the Secrets
- Still working on the PDP server, create a temporary file called /tmp/ssl_passwords.txt with the passwords in it.
- Store this file as a secret in Vault, and verify that you can retrieve it:
- For security, delete /tmp/ssl_passwords.txt.
- Create a policy specification in a file called web.hcl with the following contents:
- Load the policy into Vault, naming it
web: - Create a new authentication token, associate it with the
webpolicy, and optionally include thedisplay-nameparameter to give it a user‑friendly name. Make a note of thetokenandtoken_accessorvalues; you’ll use them in subsequent commands: The NGINX web server uses this token to retrieve the SSL passwords. Thewebpolicy prevents the web server from retrieving secrets outside the secret/webservers/* path.
Verify the Web Server Can Retrieve the Token
- Working on the NGINX web server, install the Vault binary.
- Declare the location of the remote Vault server (here, http://pdp:8200), and then verify that the web server machine can retrieve the SSL passwords using the token:
Configure the NGINX Vault Connector on the Web Server
- As part of setting up the sample PDP in the first post, we created a shell script called connector.sh on the NGINX host (web server machine). Here we modify it to use Vault:
- Run the script as a background process, invoked as follows:
- Test the connector by reading from the connector path:
- Configure NGINX to read the ssl_passwords file on startup, and to use the contents as passwords to decrypt encrypted private keys. You can include the
ssl_password_filedirective either in aserverblock (like the one created for the standard configuration in the first post) or in thehttpcontext to apply it to multiple virtual servers: - Verify that NGINX can read the password and decrypt the SSL keys:
Revoking a Web Server’s Authentication Token
You can easily revoke access if the web server is compromised or when it is decommissioned. To do so, you can directly revoke the authentication token used by the web server:
Vault tokens are sensitive items of data, and many Vault workflows do not store copies of tokens that are issued to an authenticated client. If a copy of a token is leaked, an attacker can impersonate the client.
Instead, it’s common to manage an active token using its accessor, which gives limited rights over the token and cannot be used to retrieve the token value. Rather than storing tokens when they are issued, store its corresponding accessor.
If you need to determine the accessor for a web server’s authentication token, run the vault list command to retrieve the list of accessors, and the vault token lookup command on each accessor to find the one with the relevant display name and policy:
You can then revoke the token using its accessor:
Security Implications
Using Vault has a similar security profile to the sample PDP described in the first post. SSL private keys can only be obtained if the corresponding password is obtained, and for this, an attacker needs to know the value of a current authentication token.
The primary benefit of using Vault is to automate and scale the secret store.
Using an External HSM to Manage Private Keys
None of the solutions we’ve covered so far in the series protect the private key when an attacker gains root access to the NGINX server. If an attacker can access NGINX’s runtime memory or generate a core dump, there are well‑known techniques to scan the process’s memory and locate private key data.
External hardware security modules (HSMs) address this by storing the SSL private keys in external, tamper‑proof hardware. They offer decryption as a service, and NGINX accesses that service whenever it needs to perform an SSL operation that requires the kay.
The NGINX server never sees the SSL private key data. An attacker who gains root access on the server cannot obtain the SSL private key, but can decrypt data on demand by accessing the HSM decryption service using the NGINX credentials.
Configuring NGINX to Access an HSM
NGINX delegates all SSL private key operations to a crypto library called OpenSSL. Third‑party HSM devices can be made available to NGINX by using the HSM vendor’s OpenSSL engine.
The NGINX configuration is specific to each vendor HSM, but generally follows a straightforward path:
- Configure NGINX to use the vendor’s OpenSSL engine rather than the default software engine:
- Rather than using the real private key, configure NGINX to use the vendor‑supplied ‘fake’ key. This key contains a handle that identifies the real key on the HSM device: The key may also contain the credentials to access the HSM device, or the credentials may be provided using additional vendor‑specific configuration.
- (Optional) Apply any desired tuning, such as increasing the number of NGINX worker processes, to maximize the performance of NGINX and the HSM.
For an example of HSM setup, refer to Amazon’s CloudHSM documentation.
Security Implications
External HSMs are a highly secure method of storing SSL private keys. An attacker with root access to the NGINX server is able to leverage the NGINX credentials to decrypt arbitrary data using the HSM but is not able to obtain the unencrypted private key. An HSM makes it significantly harder for an attacker to impersonate a website or to decrypt arbitrary data offline.
Conclusion
It’s essential to ensure that secret data such as the SSL private key is fully protected because the consequences of disclosure are very serious.
For many organizations with appropriate security processes in place, it’s sufficient to store the private key on the frontend load balancers and then limit and audit all access to those servers (the standard configuration described in the first post).
For organizations that need to deploy NGINX configuration frequently, the measures in this post and the first one can be used to limit the users or entities who can see the private key data.
In the third post in this series, Using the NGINX Plus Key-Value Store to Secure Ephemeral SSL Keys from HashiCorp Vault, we explain how to automate the provisioning of keys and certificates from Vault to NGINX Plus’s key‑value store, using the NGINX Plus API.
Note again that none of these methods reduces the need to fully secure the running NGINX instances from remote access or configuration manipulation.
Try NGINX Plus for yourself – start your free 30-day trial today or contact us to discuss your use cases.
About the Author
Related Blog Posts
Secure Your API Gateway with NGINX App Protect WAF
As monoliths move to microservices, applications are developed faster than ever. Speed is necessary to stay competitive and APIs sit at the front of these rapid modernization efforts. But the popularity of APIs for application modernization has significant implications for app security.
How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
When you need an API gateway in Kubernetes, how do you choose among API gateway vs. Ingress controller vs. service mesh? We guide you through the decision, with sample scenarios for north-south and east-west API traffic, plus use cases where an API gateway is the right tool.
Deploying NGINX as an API Gateway, Part 2: Protecting Backend Services
In the second post in our API gateway series, Liam shows you how to batten down the hatches on your API services. You can use rate limiting, access restrictions, request size limits, and request body validation to frustrate illegitimate or overly burdensome requests.
New Joomla Exploit CVE-2015-8562
Read about the new zero day exploit in Joomla and see the NGINX configuration for how to apply a fix in NGINX or NGINX Plus.
Why Do I See “Welcome to nginx!” on My Favorite Website?
The ‘Welcome to NGINX!’ page is presented when NGINX web server software is installed on a computer but has not finished configuring