I'm trying to devise a method to protect my HAProxy SSL certificates while at rest on disk so that if the load-balancer host gets hacked, the SSL certificates will not be sitting there ripe for the attacker to pluck.
I realize that at the very least, the certificates must be available in memory in order to be used by HAProxy to negotiate SSL connections. However, I’d like to do whatever is possible to keep the certificates secure.
How can I setup the ssl-cert directory to be protected and/or encrypted and be available to HAProxy only when it needs the information (presumably when the service is started)?
Currently I see two ways this could be achieved.
- Use some sort of linux/*nix filesystem-level encryption.
This means munging the HAProxy init/upstart script to require a specific password or key file to exist on disk. This password is then used to extract the certs from an encrypted archive file (e.g. RAR or something?) into the HAProxy /etc/haproxy/certs directory. After the HAproxy service has started use srm the password/key file along with the /etc/haproxy/certs directory.
- Create an external API service management layer which runs on a different (super secured) host. This service will store the certificates and orchestrate load-balancer service restarts and reloads. This service would
rsyncover the haproxy certs directory, restart or reload it via ssh, and thenssh … srmthe certs directory to securely erase the /etc/haproxy/certs directory.
I’d appreciate feedback on these ideas, any relevant experience, or any other way this security goal can be achieved.
Additional resources:
Here is a relevant related question on SO regarding multi-ssl HAproxy.
