The encryption key is created and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it's attributes, into the key storage database.
A Private key for an end entity could be stored in a Trusted Platform Module (TPM) chip or a USB tamper-resistant security token. When hosting in the cloud, you should try to use the cloud-native key storage facilities provided by the vendor.
The AES master key always remains within the secure boundaries of the cryptographic coprocessors. Transport keys protect a key that is sent to another system, received from another system, or stored with data in a file.
In order to prevent somebody from grabbing my data easily, I cache data from my service as encrypted files (copy protection, basically).
However, in order to do this, I must store the encryption key within the .NET assembly so it is able to encrypt and decrypt these files.
Being aware of tools like Red Gate's .NET Reflector which can pull my key right out, I get a feeling that this is not a very safe way of doing it... are there any best practices to doing this?
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With