[CryptoAPI] Safe to save Crypto Key to Site properties?

Forge Component
(27)
Published on 3 Mar by Ricardo Silva
27 votes
Published on 3 Mar by Ricardo Silva

Hi All,

Is saving a cryptographic key or any key like API keys to site properties good/safe practice?
I am using this key to encrypt and decrypt data stored in the DB...

I noticed the CryptoAPI demo (in forge), saved the AES_SaveKey to a site property... 

Solution

Hello André,

Security is always relative.

Using SaveKey will encrypt the key with the environment's unique 128 bit symmetric key. So even if anyone gains access to the value in the Site Property they'd need to also gain access to the file system of your server to properly decrypt the contents.

I would say it's a safe enough approach for most use-cases.

Solution

Hi Ricardo, makes sense, thanks.
Would you then recommend to encrypt API keys?

Hi André,


Sorry for the late reply, but yes, of course I would.


You can use the pattern shown in Crypto API Demo where you generate a key, save it to a site property and encrypt the api keys with that key.

Ricardo Silva wrote:

Hello André,

Security is always relative.

Using SaveKey will encrypt the key with the environment's unique 128 bit symmetric key. So even if anyone gains access to the value in the Site Property they'd need to also gain access to the file system of your server to properly decrypt the contents.

I would say it's a safe enough approach for most use-cases.


Hi Ricardo,

does this mean that when using the Default Mode (Environment) of AES_SaveKey this will use the key in Private.Key file of the platform to encrypt the Generated Key of AES_NewKey. This file is unique by environment? Unique also in Outsystems Paas?


Regards

António Braz

Hello António,

That is correct. SaveKey will encrypt the key being saved with the environment's private key.

This key is generated once per installation and is unique per environment in On-Premise environments and in the OutSystems Enterprise Cloud.