CA Key Storage: Bank Safe Deposit Box Risks

TL;DR

Storing a Certificate Authority (CA) root key in a bank safe deposit box is extremely risky. It introduces significant physical security vulnerabilities and operational challenges that outweigh any perceived benefits. A Hardware Security Module (HSM) or robust, well-managed offline storage with strict access controls are far superior alternatives.

Why it’s a bad idea

A CA root key is the foundation of trust for all certificates issued by your CA. Compromise of this key means attackers can issue fraudulent certificates, intercept communications, and impersonate your services. A bank safe deposit box doesn’t provide adequate protection.

Step-by-step: Why it fails & what to do instead

1. Physical Security Weaknesses

• Bank Access: Banks are targets for robbery and internal fraud. While banks have security measures, they aren’t designed to protect against determined attackers specifically targeting a CA root key.
• Legal Issues: Seizure of assets (including safe deposit box contents) is possible under certain legal circumstances. You may lose access to the key without warning.
• Limited Access Control: You typically need to be physically present with identification to access a safe deposit box, which limits flexibility and creates single points of failure.

Operational Challenges

• Key Rotation: Rotating the root key is crucial for security. The logistics of securely transporting the key to/from the bank for rotation are complex and risky.
• Disaster Recovery: If the bank experiences a disaster (fire, flood), your key could be lost or damaged. Recovery procedures would be severely impacted.
• Auditing & Compliance: Demonstrating compliance with industry standards (e.g., CA/Browser Forum) is difficult when using this method. Auditors will likely flag it as unacceptable.

Better Alternatives – Hardware Security Module (HSM)

• What it is: A dedicated hardware device designed to securely store and manage cryptographic keys.
• Benefits:
• Tamper-resistant: HSMs are physically hardened against attacks.
• Strict Access Control: Granular control over who can access the key, with detailed audit logs.
• Key Rotation Support: Simplified and secure key rotation procedures.
• Compliance Ready: Meets industry standards for CA security.
• Example (using OpenSSL to generate a key *inside* an HSM): (This is conceptual; specific commands vary by HSM vendor)

openssl genrsa -out root_key.pem 2048

Better Alternatives – Robust Offline Storage (if HSM isn’t feasible)

• What it is: A secure, physically protected location with strict access controls and multiple layers of security.
• Requirements:
• Physical Security: Dedicated room with limited access, surveillance, intrusion detection systems.
• Access Control: Multi-factor authentication (MFA) required for all personnel with key access.
• Dual Control: Two or more authorized individuals required to perform sensitive operations (e.g., key generation, backup).
• Audit Logging: Comprehensive logs of all key access and usage events.
• Environmental Controls: Temperature/humidity control, fire suppression systems.

Key Backup & Recovery (for both HSM & Offline Storage)

• Multiple Backups: Create multiple backups of the root key stored in separate secure locations.
• Encryption: Encrypt all backups with a strong passphrase or another key protected by an HSM.
• Regular Testing: Regularly test your recovery procedures to ensure they work as expected.

Conclusion

Using a bank safe deposit box for CA root key storage is a significant security risk and should be avoided. Invest in an HSM or implement robust offline storage with strict access controls, dual control, and comprehensive audit logging to protect your CA’s most valuable asset.