Frank recently asked the PCI DSS guru the following question:

“I have a large number of Linux servers that are in scope for PCI in my environment. One example would be a SSL Web server that receives inbound messages. Another one would be an application server that may need to decrypt PGP-encrypted files. The SSL certificate and the PGP key both have strong passwords (an 18 character combination of alphanumeric  characters and symbols) .

Per PCI requirements, I have to protect these passwords and not stored them in plaintext.

These servers are periodically restarted during regular patching maintenance. And during restart, the applications need to be able to obtain the unencrypted  password without manual intervention. Therefore these passwords must be stored on disk where they are accessible by the Linux servers.

What is the best practice to protecting these passwords while they are stored on disk?”

Frank, you’ve stumbled upon one of the most difficult aspects of PCI DSS: managing your encryption keys.  You are absolutely correct that you cannot store your encryption keys in plaintext on your web server, as this would violate PCI DSS requirement 3.5.2, which gives you three options for protecting private keys:

  • Encrypt them with a key-encrypting key that is at least as strong as the data-encrypting key and stored in a separate location
  • Store them within a secure cryptographic device
  • Store them in two pieces

Things can get really complicated, really quickly.  In my opinion, it’s best to turn to commercial technology for this purpose.  Don’t try to roll your own key management solution.  Instead, look at some of the products currently available on the market, such as RSA Key Manager, StrongAuth, and Alliance Key Management.