Re: CA keys and storing/sending them

Gari Singh <garis@...>

Private keys are never sent anywhere.  Only public keys are included with transactions.

If you are using the fabric-ca-client or any of the SDKs, by default privates keys are created on the local file system of the host in which enroll.  You can also choose to use the PKCS11 provider to have the private generated and stored in an HSM.

If you do generate it on the local file system, then you should set the permissions to 0400 on *nix based OS’s.  You should also encrypt the file system ( especially when running in a public cloud)

Gari Singh

On Nov 7, 2019, at 11:32 AM, Trevor Lee Oakley <trevor@...> wrote:

I understand that HLF  uses a client server CA and each member has its own CA. But txn approvals I have a question about securely storing and sending keys. Are there any guidelines for this? 

Join to automatically receive all group messages.