Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best way to store encryption keys in .NET C#

In our application we have a lot of sensitive configuration settings, which we are storing in a xml file which is again encrypted.

This secure file has to be decrypted in runtime and the configuration values read. but an issue arises that the key and initialization vector is hardcoded in the code and hence anyone can read it using Reflector.

What is the best way to store encryption keys in .NET so no one can read them using Reflector?

like image 381
ganeshran Avatar asked Feb 11 '11 09:02

ganeshran


People also ask

How should encryption keys be stored?

The encryption key is created and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it's attributes, into the key storage database.

Where should private keys be stored?

A CA's private key should be stored in hardware-based protection, such as a Hardware Security Module (HSM). This provides tamper-resistant secure storage. A Private key for an end entity could be stored in a Trusted Platform Module (TPM) chip or a USB tamper-resistant security token.

How do you store asymmetric keys in a key container?

Create an asymmetric key and save it in a key container KeyContainerName field. Create a new instance of a class that derives from the AsymmetricAlgorithm class (usually RSACryptoServiceProvider or DSACryptoServiceProvider) and pass the previously created CspParameters object to its constructor.

Do you store encryption keys in the cloud?

Cloud-Based Encryption: The cloud provider generates, manages, and stores the keys used to encrypt and decrypt data. Bring Your Own Key (BYOK): The customer generates and manages encryption keys, but the cloud provider has access to the keys and can use them to encrypt and decrypt data.


1 Answers

If you want to protect your data from other users. Take a look at the ProtectedData class.

(Disclaimer: Protecting your data to create a copy protection scheme is not covered in this answer).

This classes uses the DPAPI from Windows, to encrypt and decrypt data on user or machine level.

Using ProtectedData/DPAPI frees you from handling keys and securing the data yourself. And you can choose to protect the data for the current user. The data can be read from different computers, by the same domain users.

If you want create your own key. You can create a key per user/machine, and store this key in the registry. Because the registry can be secured, only the current user can read the key back. I know the registry has bad karma, but is actually very good at storing data like this.

PS: Do not put the IV in your code. Create a new IV every time, and put it in front of the data.

like image 94
GvS Avatar answered Sep 22 '22 17:09

GvS