Using PBE (password-based encryption) algorithms to secure private keys
To help secure private keys in your environment, Venafi requires that all private keys that are downloaded are password encrypted. Trust Protection Platform lets you use password-based encryption (PBE) algorithms to secure all PKCS#8-formatted private keys that are downloaded from Aperture, Policy Tree, or WebSDK.
TIP When selecting one of the supported PBE options, keep in mind that the relationship between security and compatibility is inverse: the higher the security, the lower the system compatibility, and vice versa.
NOTE Because OpenSSL supports only MD5 for key derivation, it is a legacy private key format that is very compatible but is insecure and the NIST considers it to be retired. For better security, you can disallow this format by locking the PBE algorithm policy to Medium or High. For best security, we recommend you lock the PBE algorithm policy to High for all certificates.
When configuring PBE, you select one of the following options:
PBE options (algorithms) |
Hashing |
Cipher used to encrypt/decrypt |
---|---|---|
Insecure but good system compatibility | MD5 |
DES |
Deprecated but better system compatibility | SHA1 |
3DES |
High security and compatible with newer application versions ( system default) | SHA256 |
AES256 |
To configure this setting in Policy Tree
- From the TLS Protect menu bar, click Policy Tree.
- Click the appropriate policy.
- Click the Certificate tab.
- In the Other Information area, click the Private Key PBE Algorithm arrow.
-
Choose the algorithm that best fits your needs.
To learn how to configure this setting in TLS Protect's modern interface, see Setting policy on a folder.