Demo Series: Protect Web Servers From Exposing TLS Keys

Published on
Jan 18, 2024
Welcome to our demo video on how Anjuna Seaglass can protect your web server's TLS keys from being exposed to attackers who reach hosts.
https://www.anjuna.io/blog/demo-series-protect-web-servers-from-exposing-tls-keys

Welcome to our demo video on how Anjuna Seaglass can protect your web server's TLS keys from being exposed to attackers who reach hosts. 

We’ll focus on the web server component of a typical multi-tier app architecture. As you may know, an attacker who gains root access to the server running NGINX can see everything on it, including the TLS private key, which can be extracted from memory or simply found in storage. Let’s see this in action.

The Attacker’s Perspective on Gaining Access

We’ll play the role of an attacker and gain root access to the server running NGINX. From there, we’ll quickly locate the directory where TLS keys and clear text are stored. Once we get this private key, we can then use it to decrypt all inbound traffic or impersonate the server to perform man-in-the-middle attacks.

The Secret Zero Problem

Even if you password-protect your keys or store them in a third-party secret store, like a vault or key management system, you’re not entirely safe from attackers. These mechanisms often require an initial password or master key that is vulnerable, just like the TLS key. This problem is commonly known as the secret zero problem. If you can’t protect the initial secret, an attacker can find it and gain access to your other secrets.

How Anjuna Seaglass Protects Your TLS Keys

Let’s see how Anjuna Seaglass can protect the TLS key from being exposed to attackers. Administrators invoke the Anjuna Confidential Runtime, which leverages new hardware capabilities in the Cloud to protect data in use. Anjuna Seaglass creates a secure enclave for this web server to operate within. As you can see in the terminal, Anjuna Seaglass secures your application with one simple command, and the best part? You don’t have to re-engineer your application to get this protection.

Additionally, Anjuna Seaglass securely stores the TLS key in the Anjuna Policy Manager or an equivalent secret store. The Anjuna Policy Manager securely distributes the key only to a trusted NGINX web server that’s running in the secure enclave. The key is never exposed to the host or any potential attackers.

Secure Storage With Anjuna Seaglass

Now, let’s test the protection provided by Anjuna Seaglass. We’ll play the role of the attacker again. This time, when we try to find the TLS key in the file system, we don’t see it — it just doesn’t exist there, thanks to Anjuna Seaglass.

Try Anjuna Seaglass Today 

In conclusion, with Anjuna Seaglass, you can protect your web server's TLS keys and eliminate the secret zero vulnerability. 

Try it out today and experience unparalleled protection against cyber threats.

More like this
Governance, zero trust, and data-in-use: What you need to know about NIST CSF 2.0
Governance, zero trust, and data-in-use: What you need to know about NIST CSF 2.0
Prevent Accidental Secret Breaches with Anjuna and GitLab
Is your security more like a seatbelt, or an elevator brake?
Get Started Free with Anjuna Seaglass

Try free for 30 days on AWS, Azure or Google Cloud, and experience the power of intrinsic cloud security.

Start Free
Attacks and Vulnerabilities