Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where to store AES key?

I am creating a web application with ASP.NET MVC, And I want to store some password into database.

The passwords must be recoverable. (They are not for myself, I need passwords to communicate with an API, which needs the real password) So I can't use hash algorithms or such.

I have found that AES is a good encryption algorithm for me.

But, the problem is: where to store AES key? Is storing in appsettings inside web.config enough? How to make the key harder to find (for hackers)?

And the next question: Any ideas to make this system safer?

like image 412
Mahdi Ghiasi Avatar asked Sep 13 '12 14:09

Mahdi Ghiasi


People also ask

Where should encryption keys be stored?

The encryption key is created and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it's attributes, into the key storage database.

Should an encryption key be stored?

Even keys stored only in server memory could be vulnerable to compromise. Where the value of the data demands it, keys should be encrypted whenever stored and only be made available in unencrypted form within a secure, tamper-protected environment and even (in extreme cases) kept offline.

Is AES good for storing passwords?

You can enable Advanced Encryption Standard (AES) password encryption so that your passwords are more secure in your configuration files and properties files for the server environment. Currently, WebSphere® Application Server supports AES-128 encryption.

Is AES private or public key?

AES is a symmetric algorithm, so it does not have public and private keys - only a shared secret.


1 Answers

It is possible to encrypt sections of .config files. Here is the msdn documentation on the subject, although you will find other walkthroughs online as well.

like image 98
recursive Avatar answered Nov 03 '22 15:11

recursive