[CryptoAPI] Safe to save Crypto Key to Site properties?

Forge Component
(18)
Published on 2018-11-11 by Ricardo Silva
18 votes
Published on 2018-11-11 by Ricardo Silva

Hi All,

Is saving a cryptographic key or any key like API keys to site properties good/safe practice?
I am using this key to encrypt and decrypt data stored in the DB...

I noticed the CryptoAPI demo (in forge), saved the AES_SaveKey to a site property... 

Solution

Hello André,

Security is always relative.

Using SaveKey will encrypt the key with the environment's unique 128 bit symmetric key. So even if anyone gains access to the value in the Site Property they'd need to also gain access to the file system of your server to properly decrypt the contents.

I would say it's a safe enough approach for most use-cases.

Solution

Hi Ricardo, makes sense, thanks.
Would you then recommend to encrypt API keys?

Hi André,


Sorry for the late reply, but yes, of course I would.


You can use the pattern shown in Crypto API Demo where you generate a key, save it to a site property and encrypt the api keys with that key.