Private Key Security Risks
This cluster discusses vulnerabilities and risks associated with private cryptographic keys, including theft by hackers, insiders, or governments, secure storage in HSMs, and scenarios like key escrow or client-side exposure.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Can't the key get stolen if it's on the client?
Let me guess: as long as there's key escrow or equivalent.
Private keys can be stolen or extracted via bribery, etc.
Probably the keys are on well-guarded offline HSMs.
What is the attack you're envisaging?Presumably they detect unauthorized case-intrusion and immediately delete the keys. This isn't foolproof, but it's probably good enough to stop anyone except the people that are going to get the data no matter what you do.
Once a malicious 3rd party gets the keys to this kingdom it is game over.
That's wrong. Insiders can leak the private key, or hackers can take it.
If there is a way to extract the keys then the keys will be extracted by rogue actors.
Do we know they don't have access to the private keys?
The response to your devil's advocate argument is: giving you the keys is not actually a solution, because now every foreign government is racing to break, steal or buy those keys, and not only can we not guarantee that it won't happen, but we can't even discover if it happens, or when. We can build a secret entrance, but we cannot guard it!