How can the key be stolen easily? That really depends on the security of the Redis setup. Redis is typically not internet accessible so you'd need some sort of server exploit.

Would have been good if the article example showed a Redis server with TLS and password auth.

▲

time4tea 2 hours ago | parent [-]

Private key material should not be kept in the clear anywhere, ideally. This includes on your dev machine, serialised in a store, in the heap of your process, anywhere. Of course, it depends on your threat environment, but the article did mention pci-dss. If you put it in redis, then anyone that has access (internal baddies exist too!) can steal the key and sign something. Its hard to repudiate that.

▲

flumpcakes an hour ago | parent [-]

How far do you go, how do you use the private key to sign something if you can't keep it anywhere?

	▲	JackSlateur an hour ago \| parent [-]
		TPM You never have the private key, only the ability to ask something to encrypt/sign something