Best place to keep secure information in java spring web application

Question

I have web application implemented using java spring.Basically each user in application can store some critical information. Once user enters that data , it should be persisted .Is there any standard way to store that secure information. I can think of following places to store that information

1) In database
2) On Webserver as different files for each user. We can encrypt data in those files using some key.

I prefer for webserver as files for each user.But I have following questions:

1) Where can we store those files on webserver
2) How can we restrict access to those files?
3) Is there something available in spring to achieve this?
4) What kind of encryption library I can use to achieve this. And where I can store key for each user.
5) How we can sync those files on multiple instances. Is there some standard library for this also?

Answer 1

I'm not familiar with Spring but I recently worked on secure file storage so here is what I can say :

Where can we store files ?

• On the server
  You can just store the files on the server and read them, but if your server is corrupted, then the attacker gets the files
• In the database
  Well known DBMS like MySQL or MongoDB allows you to store files (as blobs or sets of chunks).

The advantage of storing files in the DB is the following : If the attacker reaches your server, then he will not get the files, he will have to find the DB password.

How can we restrict access to those files ?

• Restrict access to the eventual attacker
  Create a new user on the server who's the only one that can access your DB or your files and use a strong password.
• Restrict access to other users
  Just ask for authentication ! But simple password isn't very secured ...

Authentication

For a strong enough authentication method, you must ask 2 of this 3 questions to your user :

1. What do you know ? (e.g a password)
2. What do you have ? (e.g SMS Phone Verification)
3. What are you ? (e.g fingerprint, eye scan ...)

Not secure enough ? Let's have a quick talk about file encryption ...

What kind of encryption library I can use to achieve this. And where I can store key for each user ?

For the librairies, I don't know (my apologizes) but for the encryption method, keep it simple : use well known and efficient algorithms like RSA, AES or Triple DES.

How to handle encryption ?

Here is the result of a conversation I've had with friends about file encryption and key storage :

• Storage : The client has to encrypt the file. Then he sends the key and the filename (or file ID) to a server (server1) and the encrypted file to another server (server2)

• Download : The client gets the encrypted file from the server2, read the filename (or the file ID) and get the right key from server1 so he can decrypt the file.

The best thing to do is to secure the 2 servers (1 and 2) with Two Factors authentication (2 of the 3 questions) but it could be a break to the user's experience.

Hope it could help,