In most circumstances the private key corresponding to the host or service certificate will be kept unencrypted on the local filesystem. This is necessary so that the host or service can authenticate without an administrator having to enter a pass phrase.

While convenient, storing the private key unencrypted is a security risk. To minimize the risk please follow these precautions:

• Make sure that the UNIX permissions for the file containing the private key are set to 0400. The Globus tools will require this in order to function.
  
  
• The private key should be stored on a filesystem that is local to the host so that the unencrypted key is not sent over a network connection. Likewise the Globus tools and servers should be run from a local filesystem so that they may access the private key directly without sending it over a network connection.
  
  
• The file containing the private key should most often be owned by user root andin group root. If the file is owned by some other login access to thataccount should be limited and monitored.