password-less keys for TLS

Ben Humpert ben at
Fri Nov 11 21:29:38 CET 2016

A password encrypted server key can't just get copied, you also need
to read the config file for the password. A password-less server key
instead is very easily copied. Often the key needs less restrictive
permissions so the running application can read it but the config file
can be set to read-only by root.

Depending on the client a password-less client key is fine, eg. for
desktop computers. For every client that physically enters the world
outside I always use password encrypted keys just because I don't need
to revoke them immediately.

2016-11-11 20:27 GMT+01:00 Matt Zagrabelny <mzagrabe at>:
> Hello,
> I am wondering what folks think about password-less keys for TLS? Both
> the server key - and the client key under EAP-TLS.
> The password for the server key is on disk in a config file, so a
> password encrypted key seems just about as safe as a password-less
> key.
> The client keys are bit more vulnerable when they aren't encrypted,
> but I thought I would ask the list if anyone is rolling client certs
> without passwords.
> Thanks for any feedback!
> -m
> -
> List info/subscribe/unsubscribe? See

More information about the Freeradius-Users mailing list