What is the best way to store an AES encryption key?
We are using Tomcat for our java web application. There is a properties file in the WEB-INF folder.
AES encryption will be used to generate the key and encrypt the password. The encrypted password will be saved in the properties file. Where should the encryption key be stored? Is it a good idea to put the key and encrypted password in the same properties file? Or should the key be stored outside the "webapps" directory?
source to share
In windows you can use the registry and DPAPI. Using the registry really sucks, but it is a necessary pain if you want to go for absolute security and use the operating system to store your valuable data.
On other OS X, you can use Keychain.
On linux, I would use file permissions to protect the file.
What do you suggest:
Is it possible to put the key and encrypted password in the same properties file?
How to keep your money in a safe and then write the combination to the safe on stickynote and hold the note on the safe. Everything you have done is not related to the thief, but it has not added any significant level of security.
If the properties file is secure enough to store the encryption key, you can store passwords in it in cleartext.
source to share
I have the following suggestions,
-
Do not store the key in WAR. We reserve the responsibility to provide a key for each installation. In production, we can actually provide it by storing the key files on the smart card.
-
Make sure your keys are versioned so you can rotate it regularly.
-
Store passwords for key generation instead of source material. This makes it easier to add new keys (you don't need to worry about the algorithm or keys, etc.). It also adds some confusion.
source to share