I am creating a web application with ASP.NET MVC, And I want to store some password into database.
The passwords must be recoverable. (They are not for myself, I need passwords to communicate with an API, which needs the real password) So I can't use hash algorithms or such.
I have found that AES
is a good encryption algorithm for me.
But, the problem is: where to store AES key? Is storing in appsettings
inside web.config
enough? How to make the key harder to find (for hackers)?
And the next question: Any ideas to make this system safer?
The encryption key is created and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it's attributes, into the key storage database.
Even keys stored only in server memory could be vulnerable to compromise. Where the value of the data demands it, keys should be encrypted whenever stored and only be made available in unencrypted form within a secure, tamper-protected environment and even (in extreme cases) kept offline.
You can enable Advanced Encryption Standard (AES) password encryption so that your passwords are more secure in your configuration files and properties files for the server environment. Currently, WebSphere® Application Server supports AES-128 encryption.
AES is a symmetric algorithm, so it does not have public and private keys - only a shared secret.
It is possible to encrypt sections of .config files. Here is the msdn documentation on the subject, although you will find other walkthroughs online as well.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With