How to create Java Key Store (.jks) file with AES encryption

Question

Reading Oracle documentation, I see that by default JKS files are encrypted using PBEWithMD5AndTripleDES. While DES alone makes me feel uneasy, MD5 lights a big red

Answer 1

Triple DES is pretty strong, and Oracle likely uses keys with 168 bit of entropy (giving a full 112 bits of security at the time of writing).

Furthermore, although MD5 may not be secure for e.g. signatures, it is certainly valid for use in a key derivation scheme as such as PBE.

Of course it would be a good idea for Oracle to migrate away from these schemes in time, but Triple DES and MD5 should not worry you needlessly. Writing your own is probably a worse idea, there are too many pitfalls.

Choose a good password, it's probably the best thing you can do. Or put your keystore in a correctly configured HSM or smartcard if you want high end security.