Using Encrypted Keys
Private keys are sensitive pieces of information. With the private key of a system, attackers could read every encrypted message sent to that system and could also forge messages that would appear to have come from the real owner of the private key.
NOTE: Unencrypted private keys should not be stored on any media device that is not physically secure.
To protect against stolen private keys, you can encrypt them with a passphrase at their time of creation. Passphrases should not be stored on or near a computer that contains encrypted keys.
When
RWAsymmetricKey loads a key and finds that it is encrypted, it invokes the password callback function. The password callback function is specified using the
RWPasswordCallback parameter in the
RWAsymmetricKey constructor. The password callback function sends the password to the cryptographic library.
NOTE: In an interactive system, you could write the callback so that it presents the user with a dialog box that prompts for a password, and then returns that password to the system.
If an encrypted key is loaded, but a password callback is not specified, the exception
RWUnableToReadPrivateKeyError is thrown. An exception is also thrown when the password supplied to the system through the callback is incorrect. For more information, see
RWAsymmetricKey.
See
Password Callback for details on writing the callback function.