The keys are RSA, we need to be able to put an optional passphrase on them (for startup as in httpd) as a simple first (and zero cost/design to network) measure to eliminate their value to thieves. This has not been done. There have been threads and tickets on this whole key management topic.