[CryptoAPI] Where to keep the keys for my application?

[CryptoAPI] Where to keep the keys for my application?

Forge Component
Published on 2015-11-29 by Ricardo Silva
4 votes
Published on 2015-11-29 by Ricardo Silva
In the Discussion thread for this component, Statler & Waldorf asked the following question:

I might need to encrypt some data-columns in my database (customernames)
I am curious how to approach this. where should I store my public/private key?
I am thinking of creating some keys on my dev-environment and store the key in my espace?
different keys for acc, production and test?

This is a very good question, and one I (purposefully) don't address in CryptoAPI. This is because it all depends on the use you'll give the API and the threat model for your application.

So, in order to be able to answer your question, you need to ask yourself the simple question*: "what am I protecting this data against?"

- Are you encrypting the data so that when someone gets a hold of your database they can't decrypt it? If so, storing the key in the database is the worst place to do it! You can't store the key in a Site Property, in a database table, in the session.

Probably the best solution for this is: don't store the key ! Ask for it when it's needed. For convenience sake, you can store a key in the database, if it is protected by a key you ask the user. This is convenient when you want to have a master password, but don't want to re-encrypt all the data in the database if the master password is to change. In this case, you'll only need to re-encrypt the key protected by the master password, and everything else is encrypted with the key. This is the approach I'm using in my Passwords (still in development) component, by the way.

Another approach you can have, if you want to store sensitive data in the database but not burden the user with having to know a password or something of the sort, it keeping the key in a different location. For example, in a file in the front-end servers. You'll need to handle distributing the key to all front-ends and making sure it's on a known location, but you can use the Filesystem extension to read the key file.

When is it acceptable that the key is stored in the database (for example, a Site Property)? Rarely! Basically when your threat model doesn't include an adversary with the power to obtain your database :)

This will be, for example, an application where you're encrypting data that you're sending out of the application for later retrieval. Sending a token which will later be returned to the application, or that the intended recipient also knows the key.

If anyone has a different view on this subject, or would like to add something, feel free to chip in.

* the question is simple, the answer... not so much :)