We have some sensitive data for which the requirement is that nothing physically stored on any server is sufficient to decrypt the data. We need it to be the case that a human intervention is required before the data can be read.
However of course the application itself needs to be able to read the data. What we need is analagous to the way apache prompts you for your SSL passphrase - Your application is unuseable without it, but once a human enters it, the app runs fine without intervention until a restart.
Is anyone aware of a solution for this? One idea I had was to simply have an admin form that stores the passphrase in a global variable - however when running with Passenger, is there a way to systematically pin down each specific process to supply the global to it?
I am considering using memcached, but that would make the sensitive data available to anybody starting up a console on the server. Over time that could be many people, and we need to be able to restrict reading of this data to a smaller group than any app operator.