Blog > Best Practices > Why Private Keys Should Not be Shared
Best Practices 06-16-2021
Dave Roche
Key management is a critical component to keeping your software signing secure. If private signing keys fall into the wrong hands, untold damage could be done to a brand’s reputation and could impact end users. Fortunately, there is a simple way for you to immediately up your security game. The practice of private key sharing amongst software development and DevOps teams increases your threat vector exponentially and it needs to stop.
Convenience vs. security
Understandably, it’s more convenient for developers to share private keys among their team. But just because it’s convenient doesn’t mean that it’s secure. The reason for private key sharing is that many teams have a key distribution problem. Multiple teammates may need the same key to sign code and get a build released as quickly as possible. Typically, an administrator places and order for the certificate and has to give the key to another team member who actually signs the code. But if that developer is out of the office or needs to give it to someone else to have a backup just in case, all of a sudden the private key is shared across the entire team and now resides in more than one location. The problem is that the more a private key is shared, the more it opens up the threat vector for either intentional or unintentional damage.
It’s not worth the risk to share private keys. Lost private keys will impact productivity, pulling away team members from priority projects to do remediation, not to mention the possibility of reputation damage and financial loss. For example, Android will not trust old versions of an app if a private key is lost, meaning end users will have to download a new app rather than update their existing one if an organization loses that Android private key.
Why shared private keys are vulnerable
Shared private keys open up the possibility for stolen keys, and stolen keys can mean signed software with vulnerabilities or malware being distributed with your company’s name on it. It’s like the key to your front door: you want to make sure it is protected and only with people you trust at all times. Shared private keys can get lost or stolen in transit or abused. Plus, there is no way to track who signed what and when if everyone has a local copy of the same signing key.
First off, developers may not pass around private keys in the most secure way. They may try to share them over the internet, which could be acquired by man-in-the-middle-style attacks, or a private key could be left out in the open on a web or build server or within a source code repository or put on a USB token, but if a user forgets to wipe the USB drive it would still hold the private key and could end up in the wrong hands.
Second, shared private keys could be unintentionally or intentionally lost or stolen. For instance, a developer with a private key on their hard drive might lose their laptop in a public space. That private key is then compromised if anyone gets access to the laptop. Or if a developer leaves the company, they could either accidentally or intentionally take a copy of the private key with them. In the wrong hands, a disgruntled employee could copy and paste that private key for personal purposes or even to sign something with malware to intentionally hurt their old company.
Key management best practices
Developers do need to share assets and cover for each other, but a shared private key is not the best way to do it. One way is to use dedicated HSMs, but that solution can get pricey and requires regular maintenance and replacement every three to five years. Another solution is to simply request multiple keys so each developer has their own, but this exponentially multiplies the cost and burden on the certificate requester. The simplest way to manage keys securely is to use a modern key management solution that gives you more control and security over key management.
Modern solutions inherently follow key management best practices, like controlling the use of signing keys, using key rotation, and separating duties of administrators and developers, all while providing control and auditability so that you can track what keys signed what code and who used them.
Modernize your key management
When it comes to private key management, historically developers have had to trade off security for convenience, and they have often elected to use private key sharing because it’s more convenient. However, modern solutions can help avoid these mistakes, while allowing developers the freedom to use private keys when they need them so that they can focus on what they’re best at: building and pushing software products.
DigiCert® Software Trust Manager is built on DigiCert ONE™, balances convenience with security in a comprehensive solution for code signing key management. It is designed to avoid the mistake of sharing private keys, along with many more code signing cardinal sins. DigiCert Software Trust Manager has the capability to put keys in offline mode, so keys cannot be used without prior permission. Administrators can control who has access when and can schedule or manually make available the private keys for release windows with the optional approval from those that should permit such activities.
DigiCert Software Trust Manager also gives control and visibility over the who, what and when of code signing. Administrators can set permissions and map key usage based on individuals or teams to control where keys are being used and who is signing what with them. Additionally, if someone leaves or joins the team, it’s easy to update access. You wouldn’t leave the key to your front door vulnerable, so don’t leave your private key vulnerable either.
Learn more about DigiCert Software Trust Manager
DigiCert Software Trust Manager is a modern way of managing code signing by enabling automated security across Continuous Integration/Continuous Delivery (CI/CD) pipelines with portable, flexible deployment models and secure key management.
Secure Software Manager supports code signing best practices like unique key and certificate per signing for private signing, on-demand keys and rotating keys. It is compatible with major platforms and libraries like Docker, Microsoft, Java, Android and more. Using DigiCert Software Trust Manager, enterprises integrate code into their product development processes easily, while delegating cryptographic operations, signing activities and management in a controlled, auditable way.
As a part of DigiCert ONE, DigiCert Software Trust Manager offers a rapid deployment of high volumes of certificates within minutes plus the flexibility the deploy across on-premises, in-country or in the cloud. For more information on DigiCert Software Trust Manager, visit digicert.com/software-trust-manager.
 - Shopify)