grigrizljac wrote:This plugin, I guess, should do the trick.
Since there are two keys – private (on server) and public (in C2), it's harder (I think it's impossible, correct me if I'm wrong) for a hacker to decrypt it. Even if they know the public key, they can only encrypt data and send it to the server, but cannot decrypt it.
Also, it's a good idea to encrypt the public key a bit (instead of plain-pasting it to C2, maybe split it into lots of pieces, then use these pieces together to compose it, change numbers to equations etc.).
Nothing is impossible, sadly. Most encryption schemes can be cracked by super computers doing cryptanalysis given enough time. The idea behind a secure system is that the lifetime of the information being secured is shorter than the amount of time it takes to break into a secure system. However, more often, hackers use system vulnerabilities or social engineering to break into the system, like Heartbleed, ShellShock, or spear phishing. Our servers were attacked with ShellShock attacks even before it really became widely known, so I was patched before it was widely publicized simply because I was keeping an eye on our server logs.
As far as SSL is concerned, the easiest way to "crack" it is to execute a man-in-the-middle attack replacing the SSL certificate with another local one. This is detectable though and can be protected against with browser certificate trust settings. It should be noted though that SSL doesn't protect your server. It protects your user's passwords and usernames in transit between them and you.
But for our purposes(and yours too), SSL (public-private or asymmetric key cryptography) is as good as we need.
You shouldn't need to encrypt the public key. That one is public because it only allows people to encrypt data back to you, not decrypt anything. The private key can be encrypted on your server, but you need to be able to decrypt it readily, which ties back into my question about how to secure symmetric keys on your servers. I know a lot of sys admins use TrueCrypt to just encrypt the entire drive partition, but I am not sure if this works on virtual partitions or not.