Private Key Storage.
I'm building java web based application.
I'm going to encrypt some sensitive data and store it in the database. (SQL
Server) But I have no idea how I should securely store the private (or secret)
key. What is the right way of doing that?
Are there any products dedicated to this particular problem? Or it is just
enough to place it in separate table/database?
[389 byte] By [
Andre] at [2007-11-9 23:50:15]
# 1 Re: Private Key Storage.
Hello!
Encryption policy is depend on type of information that you want to secure
in your database.
If it's dedicated to particular user (or users group) data you can
decrypt such information on client side (for example using smart cards -
Cryptoflex as example - for storing private keys and CAPICOM to access
to cryptography functions). It's very secure way to transmit such data.
If you have big array of transparent data that you can secure from
database administrator you can decrypt data in you Java application. You
can store data as binary large object format and decrypt it when they
are accessed (in special Java class for example) using some kind of
encryption techniques (MS Crypto API via JNI or TCP/IP Crypto Server), Java-based
security and so on. Private keys you can store in file system,
that encrypted using passphrase (if you choose crypto-server solution you
can store keys on separate machine that is dedicated for perfoming security
operations).
Also you can use encrypted file system - as simplest way to encrypt data.
But database will work same as without encryption. Only phisical files
that contains data will be encrypted.
Regards,
Nikolay Stanchenko,
Brainbench MVP in Internet Security
