Best Practices for private key files handling

Philip Prindeville philipp_subx at
Tue Sep 13 20:17:12 UTC 2022


I'm working on a bug in an application where the application config is given the directory path in which to find a key-store, which it then loads.

My issue is this: a regular UNIX file is trivial to handle (make sure it's owned by "root" or the uid that the app runs at, and that it's 0600 or 0400 permissions... easy-peasy).

But what happens when the file we encounter is a symlink?  If the symlink is owned by root but the target isn't, or the target permissions aren't 0600 0r 0400...  Or the target is a symlink, or there's a symlink somewhere in the target path, etc.

So... what's the Best Practices list for handling private key materials?  Has anyone fleshed this out?

The specific bug, if anyone is interested, is:



More information about the openssl-users mailing list