How do I securely store encryption keys in java?

2019-01-05 05:45发布

I have a java properties object with authentication information for a web service. I need to encrypt that data, but I don't know where I need to store the encryption key for it to remain secure.

What are the best practices around encrypting this data and retrieving it in a secure way?

Is there any advantage to using a keystore?

ws_user=username
ws_password=password
ws_url=https://www.whatever.com/myservice

4条回答
Bombasti
2楼-- · 2019-01-05 06:17

This is a chicken-egg problem.
You will then need to to find where to store the password for the keystore and and so on.....

Depending on your security requirements and needs, you could enrypt the data using symmetric encryption and retrieve the password via a remote server (your server) using client side certificate authentication.

Or you could encrypt the data using symmetric enryption and have the password hardcoded in your jar, which is not safe but requires some effort to find it and you could delegate responsibility to the file system permissions on who can access your files.

查看更多
唯我独甜
3楼-- · 2019-01-05 06:20

The bottom line is that somewhere needs to have the "root-of-the-chain" password in an unencrypted form. An OS-protected local file, an OS-protected remote file, hardcoded in the source, etc.

The only way around that is to require a human to type the initial password at application start, which obviously isn't possible for applications which need to autostart.

查看更多
乱世女痞
4楼-- · 2019-01-05 06:21

Your problem is a common one. In linux, user passwords are stored in a plain text file. Although only the password hashes are stored, if an attacker gets access to that file, he will not take long to discover some password using an offline dictionary attack. In this case, the OS relies on file permissions to deny access to unauthorized users. In your case, it is not much different. You must configure the password file permissions properly and ensure the physical security of the server.

查看更多
男人必须洒脱
5楼-- · 2019-01-05 06:23

I have had success using Jasypt's StringEncrytor to encrypt sensitive information in properties files and some in-house procedures for generating salts and retrieving the password. Since you're using a web service, you could use Jasypt's Web PBE Configuration to manually enter the password at deploy time or even roll your own similar solution.

查看更多
登录 后发表回答