4

I have created a self signed certificate using Powershell's New-SelfSignedCertificate, with the intention of encrypting and storing a username / password in public.

Specifically using -

New-SelfSignedCertificate -TextExtension @("2.5.29.37={text}1.3.6.1.4.1.311.80.1") 
                          -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
                          -DnsName sign.example.com 
                          -CertStoreLocation  "Cert:\CurrentUser\My" 
                          -KeyExportPolicy ExportableEncrypted -KeyUsage DataEncipherment 
                          -KeyUsageProperty All -KeyLength 2048 

$key = New-Object byte[](32)
$rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::Create()
$rng.GetBytes($key)
$SecureStringWithKey = $cred.Password | ConvertFrom-SecureString -Key $key 

I am then creating an object with the key, username and password securestring and encrypting it through

Protect-CmsMessage -Content $object -To $thumbprint

Presuming that I have used a complex password for the pfx file, is it safe to store the pfx file and the encrypted string together in a github repository (along with the script that untangles the whole thing) or should I be taking steps to keep the pfx file safe also?

Michael B
  • 446
  • 4
  • 13
  • That presumption is a bit tricky. Complex passwords are very hard to remember, especially if you don't want to reuse them. So storing the PFX file separately may add a layer of security. – Maarten Bodewes Nov 08 '15 at 23:05
  • @MaartenBodewes The intent is to have the pfx file & encrypted data on github, and a complex password stored on lastpass (I know I could store the pfx file there (and I might do)) this was mainly doing a sanity check on keeping them both in the open. – Michael B Nov 09 '15 at 01:35

2 Answers2

3

Yes it is safe to store encrypted data encryption key (DEK) materials (your PFX file matches this description) alongside the encrypted data. You should store the key encryption key (KEK) (the password for the PFX) in separate storage (or remember it if practical).

Alain O'Dea
  • 1,635
  • 9
  • 13
1

Be aware that .pfx files come with varying levels of encryption, including 40-bit RC2, which is not secure. To find out what encryption algorithm is used for your .pfx file, see this answer using openssl pkcs12.

After calling New-SelfSignedCertificate you will have a new certificate in your certificate store. I imagine you then generated the .pfx file by using Windows (eg, with Microsoft Management Console). On Windows 10, for me, today, this uses 3DES, but on earlier versions of Windows it may use a less secure algorithm.

Also pay attention to the iteration count. The default on Windows 10 is 2000 iterations of SHA-1, so an attacker might make ~1,000 guesses/second at the password (see this answer using openssl speed. You say you have picked a "complex password", which is good, but at that rate some apparently complex passwords can be guessed. Especially if your github repo has been public since Nov 2015.

Martin Randall
  • 149
  • 1
  • 5