keyless signing
Definition
Keyless signing is a cryptographic process that allows digital signatures to be created without the need for a private key to be stored or managed by the signer. This is typically achieved through the use of hardware security modules (HSMs) or cloud-based key management services that generate and use ephemeral keys for each signing operation, enhancing security by reducing the risk of key compromise.
Secure Settings Example
# Example configuration for a cloud-based keyless signing service
signing:
provider: cloudHSM
keyManagement:
ephemeralKeys: true
accessControl:
allow:
- serviceAccount: signing-service@project.iam.gserviceaccount.com
deny:
- allUsers
auditLogging: enabled
Insecure Settings Example
# Example of insecure key management with persistent keys
signing:
provider: local
keyManagement:
persistentKeys: true
keyStoragePath: /etc/keys/private.key
accessControl:
allow:
- allUsers
auditLogging: disabled