Menu
Which route to take, whats the pros and cons, which is more secure..
1) Generate AES key, encrypt the data with it and then encrypt the AES key with RSA, save the encrypted data and encrypted AES key to a file and RSA keypair to a KeyContainer.
2) Or use DPAPI ProtectedData class to encrypt the data and save it to a file and then store the entropy what i used with ProtectedData.Protect() to somewhere.. (maybe allso encrypt it with the RSA, store the RSA keypair to KeyContainer and the encrypted entropy to the file with the data?)
EDIT: Just for more info: We need to secure our applications file system usages. So any file the application stores to the filesystem we want it to be encrypted. The file is most likely used by the same application or another component of the same application stack.
859
asked Apr 11 '11 10:04
Encryption key management is the administration of policies and procedures for protecting, storing, organizing, and distributing encryption keys. Encryption keys (also called cryptographic keys) are the strings of bits generated to encode and decode data and voice transmissions.
Symmetric, or secret key encryption, uses a single key for both encryption and decryption. Symmetric key encryption is used for encrypting large amounts of data efficiently. 256-bit AES keys are symmetric keys. Asymmetric, or public/private encryption, uses a pair of keys.
There are two types of encryption in widespread use today: symmetric and asymmetric encryption. The name derives from whether or not the same key is used for encryption and decryption.
If you are looking for an encryption scheme to protect local application data, then your choice of API depends on if you would need to share the encrypted data between different servers running the same application.
If only one server would need access to the data, then DPAPI should be good enough for your purposes. The security is provided by the user's credentials, which in this context will be the credentials running your application stack. You can provide an additional entropy (or 'salt') hardcoded into your application to increase the security so that it is not reliant on the end user credentials alone. It is simple to implement and you don't need to deal with exporting/importing keys.
If multiple servers would need to access the same files / data, then the RSA Key Container method is better. The same key can be exported to multiple servers and they can share the same encrypted files. The key can also be backed up for recovery purposes. You don't have such an option with DPAPI.
The security in one method is not better than the other, as they use similar schemes and both keys are in the end protected with the user credentials. DPAPI uses credentials to secure the internal RSA keys it uses and Windows will control access to RSA Key Containers by using the credentials as well.
85
I have used DPAPI in the past and it was quite simple. RSA keypair looks quite manual to me. you can use DPAPI protection based on User/Machine level.
MSDN link on DPAPI
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
