Internal key strings

This toolkit uses what we call an internal key string to hold a locally-encrypted copy of RSA and ECC keys. This key string is ephemeral in the sense it is only short lived. It expires at the end of your current session.

The principle is that you read in the key from a file as a one-off operation using its password into an "internal key string" and you can then use this string for other operations that require the key without requiring your important password again.

When your current session finishes (i.e. when the process ends), the internal key string is of no use. If it is accidentally printed or saved, it cannot be used to compromise your real key.

This means

• You cannot hardcode the internal key strings to re-use at a later date
• You cannot share an internal key string between different processes
• You cannot rely on getting the same string when re-reading a key from a file, even in the same process. If you need to compare internal RSA key strings, use the RSA_KeyHashCode function.

You should always read in the key data from the private and public key files, PFX files, or X.509 certificates at the time they are required. An internal key string is a string of base64 characters but please treat it as an opaque "blob". Its structure may change without notice in a future revision.

[Contents] [Index]