Where to store RSA private key for a (Spring Boot) Java AWS program

Question

So i have a Java (Spring Boot) application where i use an RSA key from Amazon. At the moment this is in .pem format and stored into a local folder inside my project.

But where should i store this when i deploy my application to the web (AWS):

• Can store this in a other format and preferably use it in application.properties?

• Can I use an RSA key as a string or does it always come from a file?

*Or do i need to store this on a secure place in the server Where would that be and how secure is it?

• Do I have any other options on this ?

Answer 1

The best place to store a private key is in a smart card or hardware security module (HSM), so that the key can never be stolen.

Amazon does have an HSM service, but it's pricey.

The next best place to store it is in a file (owned and readable only by the user your app runs under) and store its password in an OS user environment variable, so that it's reasonably safe by default and cannot be checked in to source control.

Answer 2

There are other options if you do not have HSM as mentioned above now. They are:

1. Pivotal is working on the Spring Cloud Vault project. This is much better than an environment variable. If you do not have access to HSM, you can store the file path in the Vault
2. Stack Exchange, yes these guys, are working on Stack Exchange Blackbox which can encrypt the entire key and load from an API. This is a better option if you do not need to use docker and can manually start the application as you would provide the password to access your keys.

For Vault:

• See https://medium.com/@Ankitthakur/spring-boot-spring-vault-e9e973a17036
• Also See https://spring.io/guides/gs/vault-config/

For Stack Exchange Blackbox:

• See https://github.com/StackExchange/blackbox
• Also see https://github.com/asevans48/blackbox_scala