A number of serious security vulnerabilities, collectively known under the names of “Meltdown” and “Spectre” , have recently been discovered in a broad range of CPUs from Intel, ARM and AMD (some up to 20 years old) that are commonly used in servers, PCs and even mobile devices.
Workarounds for some of the vulnerabilities are being introduced into operating systems, hypervisors, web browsers and other software, while the CPU manufacturers rush to fix their chips. Cloud service
providers are also rolling out these workarounds in their infrastructure. However, not all the vulnerabilities can be fully mitigated in software, although fortunately these are the least easy to exploit. As always, the best advice is to keep all your software patched up-to-date.
The Threat to Keys
One of the main concerns is that sensitive data used by some applications could be stolen - in the worst case, this could be private (asymmetric) or secret (symmetric) cryptographic keys. Such keys have a high value as, once exposed, security mechanisms such as encryption, authentication and integrity protection are broken. This in turn can have many serious impacts, such as large-scale data breaches and falsified transactions.
What You can Do
As we previously learnt from the “Heartbleed” , “Rowhammer”  and “Flip Feng Shui”  vulnerabilities, and now again with Meltdown and Spectre, storing keys on servers is generally a bad idea. Best practice is to use a tamper-resistant Hardware Security Module (HSM) certified to at least FIPS 140-2 Level 2 to generate, store and process keys under the control of a centralized key management system .
However, if you must store private / secret keys on a PC or server, then you should follow these rules:
- Control all physical and logical access to the PC/server
- Keep the operating system and other software patched
- Avoid using VMs
- Minimize network connectivity – ideally don’t connect it to a network, and certainly not to the Internet