Menu
I am encrypting data (health care industry) using the aes encryption classes in the .net framework. What are some of the recommended locations for safely storing the key? I have it in the web.config for development, but that does not feel production worthy, to say the least.
706
The encryption key is created and stored on the key management server. The key manager creates the encryption key through the use of a cryptographically secure random bit generator and stores the key, along with all it's attributes, into the key storage database.
Even keys stored only in server memory could be vulnerable to compromise. Where the value of the data demands it, keys should be encrypted whenever stored and only be made available in unencrypted form within a secure, tamper-protected environment and even (in extreme cases) kept offline.
The AES master key always remains within the secure boundaries of the cryptographic coprocessors. Transport keys protect a key that is sent to another system, received from another system, or stored with data in a file.
You can encrypt your web.config values using built in methods in the framework:
http://weblogs.asp.net/scottgu/archive/2006/01/09/434893.aspx
This is probably a reasonable place to store your key - if somebody has managed to access your server to retrieve these details, then you probably have bigger worries.
132
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
