Which permissions should I set to dhparam.pem?

I am generating Diffie-Hellman parameters for the ssl_dhparam directive in the SSL configuration of nginx.

The file dhparam.pem is created with the command openssl dhparam 2048 -check -out dhparam.pem.

Which permissions should I set to this file? Is it safe to share in a git repository or should I keep it private?


Solution 1:

The dhparam file contains the prime which defines the group for the DH key exchange. It is not a secret, and will be sent in clear during the key exchange, so there is no point in trying to keep it secret.

As for file permissions: nginx needs to read them, and an attacker must not be able to edit them. It may depend on your setup, but setting owner and group to root and permissions to 644 should work.