Cloudflare Customers Can Now Restrict Physical Location Of Their Private Keys

Cloudflare, a leading provider of content delivery network and internet security services, announced the Cloudflare “Geo Key Manager,” a service that allows its enterprise customers to store the private encryption keys of their websites only at certain Cloudflare data center locations. The service is mainly addressed to customers who fear local government abuse or aggressive legislation seeking user data, but government agencies may also take advantage of it to ensure that their keys aren’t stored in a rival country.

How The Geo Key Manager Works

When the enterprise customers upload a custom certificate, they can choose at which subsets of Cloudflare’s data centers they want their private keys to be stored for the purpose of establishing HTTPS connections for their websites.

Connections to data centers that the customers have disallowed for storing the keys will be done via Cloudflare’s “Keyless SSL” service. Keyless SSL is an older service that allows customers to hold their private keys in places other than Cloudflare’s servers, while still benefiting from Cloudflare’s other services.

Who Uses The Geo Key Manager

The private keys are stored in all of Cloudflare’s data centers by default to optimize content delivery performance. However, Cloudflare customers who use the Geo Key Manager will be able to choose, for instance, that their private keys are stored only within the United States or the European Union (EU).

According to Cloudflare, those who want the keys to be stored only in the U.S. are typically U.S. government agencies, or companies that serve U.S. customers exclusively. Alternatively, EU business may prefer the keys to be stored in the EU for easier compliance with EU’s data protection laws.

Data Center Physical Security

Right now, Cloudflare has 31 data centers in 25 U.S. cities and 30 data centers in 21 EU countries. Its data centers benefit from high security and offer a variety of physical controls, from locked doors, alarm systems, and patrolling guards to closed circuit camera monitoring, requiring authorizations and logging of personnel visits, and using tamper detection systems for their servers. Its top-tier data centers have even stricter security requirements.

More Improvements To Come

Cloudflare’s Geo Key Manager doesn’t currently allow its customers to pick and choose which of the 55 data centers they would like to use or avoid. However, this feature is already in the works, and the company said that enterprise customers may already ask for early access to it.

Eventually, Cloudflare also hopes to allow its clients to outsource the geographical key management to other entities, including trusted civil rights organizations such as the EFF. For instance, some companies may allow the EFF to hold their keys if they think the government would think twice before trying to bully the nonprofit.

Such a feature would probably be quite useful for the “Lavabits” of the world--in other words, small companies that can’t afford to fight with powerful governments over access to their users’ data.

Lavabit’s founder decided to shut down his encrypted email company rather than turn over his servers' private key to the FBI. He felt that outright refusal wasn’t an option, but he also didn’t want to betray his users.

If the key would’ve been held by the EFF, the FBI may have avoided asking for it, if it wasn’t sure it had a strong legal standing to do so. Alternatively, even if the government persisted in its request, the Lavabit founder and his users could’ve been assured that they have the best legal defense they could possibly get.

Lavabit did end up getting help from the EFF in this case eventually, and was even rebooted with a new email service with end-to-end encryption, but not all startups may be so lucky.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.