Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Where to Store Encryption Keys MVC Application

Tags:

asp.net

asp.net-mvc-3

encryption

encryption-symmetric

I am using a AES encryption/decryption class that needs a key value and vector value encrypt and decrypt data in an MVC3 application.

On saving the record I am encrypting the data then storing in a database. When i retrieve the record i am decrypting in the controller and passing the unencrypted value to the view.

The concern is not protecting data as it traverses the network but to protect the database should it be compromised.

I have read many posts that say dont put the keys for encryption in your code.

Ok so where should they be kept? File system? Another Database?

Looking for some direction.

like image 908
user1287453 Avatar asked Jun 07 '12 22:06

user1287453

1 Answers

Common sense says, if an intruder gets access to your database, they will most likely also have access to your file system. It really comes down to you. For one, you can try to hide it. In configuration files, in plain files somewhere in file system, encrypt it with another key that is within the application ... and so on and so forth.

Configuration files are a logical answer, but why take a chance - mix it. Feel free to mix keys with multi-level encryptions - one requiring something from the record itself and being unique to every record, other one requiring a configuration value, third one requiring an application-specific value, and perhaps a fourth one from a library hidden well within your application's references? This way, even if one layer somehow gets compromised, you will have several others protecting it.

Yes, it adds overhead. Yes, it is relatively expensive. But is it worth it if you have sensitive data like user credit card details? You bet it is.

I'm using similar encryption and hashing techniques in one of my personal pet projects that is highly security focused and carefully controlled. It depends how much data you need to display at any one time - for example, mine will ever fetch only 10 records at a time, most likely even less.

... To specify what I mean by mixing: Encrypt once. Then encrypt that data again with different key and suggestedly different algorithm.

like image 165
NeroS Avatar answered Oct 06 '22 00:10

NeroS
Sign in to Comment

Related questions

How was the hash collision issue in ASP.NET fixed (MS11-100)? [closed]
Why does the ASP.NET Compiler rebuild all binaries in every build?
Setting exception handled in Web API ExceptionFilterAttribute
Can URI templates be used to match URIs to routes?
How can I add token authentication to my IIS so as to secure files in a folder?
Session ending and restarting is preventing DropDownList_SelectedIndexChanged from firing
The type or namespace name 'Transactions' does not exist in the namespace 'System' [duplicate]
Google Drive API using C# - Uploading
Entity Framework 4.2, Unable to set Identity Insert ON
Hangfire with multiple projects in .net solution
How to load all pages of crystal reports at once
How to defer the update at the client side after async postback in updatepanel
ASP.NET Membership Login redirecting to unauthorized when user is logged in
SignInManager.PasswordSignInAsync generate many database access
How can I get the list of policies from Asp.Net Core Authentication?
Integration testing C# WebAPI asp.NET Framework 4.6.1
Membership Providers and HIPAA Compliance
Jquery Validation And Update Panel Together
Can Azure run WPF?
.NET 4 MVC 2 Validation with annotations warning instead of error

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!