Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Suppose I have a server that generates a private key in memory upon starting.
Is there anyway for a snooping administrator (say from Heroku or Nodejitsu) to recover that private key while that server instance is running (i.e. somehow access it within memory)?
If it matters, I’m running this on Node.JS
It depends on what systems do they use and if they have features to prevent that from happening. Otherwise I can say that administrators who have access to the host can get your private key in so many ways. For example they can freeze your instant and save its state which basically copies the memory to the hard-disk, then unfreeze it and that doesn’t take long on fast systems. Also they can dump the memory of your instance since it is simply a running app under the hypervisor. These might not be easy to do but based on my experience in the security field I can say they are very possible.
However, I think you should store the encrypted version of your key in the memory. And only decrypt it when it is being used so the decrypted version is only stored temporarily in the CPU registers.