encryption with AES/CRYPTO - how to securely store the encryption key
Dear All,
I need to encrypt/decrypt some sensitive data which is permanently stored in a datagroup. Is there a way to store the encryption key so that it remained accessible from an iRule but at the same time was not present in the code? I anticipate that absolute security is problematic here (if such a thing exists at all :)) but what would be the most secure way of doing this on BigIP?
Ideal scenario would be to generate a key programmatically and store it somewhere on the BigIP file system (or separate admin partition) so that it was accessible to a specific iRule (ideally just one rule) but was not accessible from GUI/CLI. The iRule then could be signed with a certificate stored on HSM and any modifications to the iRule would be captured in the audit log, syslog and eventually SIEM which is ran by our SOC.
The key needs to be hidden if not from all user accounts but at least from all except one "break-glass" account whose use and credentials would be strictly controlled (administratively).
Or maybe I'm trying to invite a bicycle and it may be possible to easily use HSM to store symmetric keys?
Any thoughts would be very much appreciated!