javatomcatencryptionkey-storage

What is the best way to store an AES encryption key?


We use Tomcat for our java web application. There is a properties file under WEB-INF folder.

AES encryption will be used to generate key and encrypt password. The encrypted password will be stored in the properties file. Where should be the encryption key stored? Is it a good idea to put the key and the encrypted password in the same properties file? Or should the key be stored outside of the 'webapps' directory?


Solution

  • On windows, you can use the Registry and DPAPI. Using the registry does suck, but its a necessary pain if you want to go for absolute security, and leverage the Operating System to store valuable data.

    On other OS X, you can make use of the Keychain.

    On linux, I would use file permissions to secure the file.

    What you are proposing:

    Is it a good idea to put the key and the encrypted password in the same properties file?

    Is like storing your money in a safe, then writing the combination to the safe on a stickynote and sticking the note on the safe. All you've done is inconvienced the thief, but not added any meaningful level of security.

    If the property file is secure enough to house an encryption key, then you can store passwords in it, in plaintext.