Security risks of "admin" remote provisioner management on untrusted networks.

[ch0wm3in]

I am using the docker images for step ca, and in that regards it will automatically set up the "--remote-management" which puts in a JWK with the "encryptedKey" in to the provisioners.

Im no expert in JWT, but say i wanted to reverse proxy connections from the internet to the CA according to the production considerations in https://smallstep.com/docs/step-ca/certificate-authority-server-production/#run-a-reverse-proxy

Wouldnt it be something that anyone could fetch and start cracking away at? Mind you that admin endpoints are not exposed and the password is very secure (bruteforcing unfeasible atm but if moore's law is true, eventually it will not be)

Or am i just paranoid and this is normal practice?

[hslatman]

Hi @ch0wm3in, you're right that someone could start cracking the encryptedKey, but you can remove it from the provisioner as long as you provide it on the client side every time it's required. It's provided for convenience.

Here's some docs on that: https://smallstep.com/docs/step-ca/provisioners/#removing-the-encrypted-private-key-from-a-jwk-provisioner.

That said, in our general production considerations we mention to use strong passwords, which, as you mentioned, should protect you from the key getting decrypted: https://smallstep.com/docs/step-ca/certificate-authority-server-production/#use-strong-passwords-and-store-them-well.