Hi Sherif,
this works as expected. The key is only accessible for the current
process. The password to encrypt the key is contained in the memory
allocated by the current process.
If you would have the password anywhere else, you would not have to
encrypt the key. You can still rely on the default file access
protection of the encryption key.
You can however increase the logrotate time for apache. Then you would
have to reenter the password only once a week or one a month.
Imagine creating a service, that passes the password to the apache
process. There is no secure way to assure that the apache process and
not another process accesses the password.
What attack scenarios did you want to mitigate in the first place?
Kind regards
Cornelius
> --
> You received this message because you are subscribed to the Google
> Groups "privacyidea" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
privacyidea...@googlegroups.com.
> To post to this group, send email to
priva...@googlegroups.com.
> To view this discussion on the web visit
>
https://groups.google.com/d/msgid/privacyidea/5d8d081b-0725-4850-8df8-7d01c9e8e822%40googlegroups.com.
> For more options, visit
https://groups.google.com/d/optout.
--
Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417
NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel:
+49 561 3166797, Fax:
+49 561 3166798
Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel