How do I securely store encryption keys in java? [closed]

Answer 1

I have had success using Jasypt's StringEncrytor to encrypt sensitive information in properties files and some in-house procedures for generating salts and retrieving the password. Since you're using a web service, you could use Jasypt's Web PBE Configuration to manually enter the password at deploy time or even roll your own similar solution.

Answer 2

The bottom line is that somewhere needs to have the "root-of-the-chain" password in an unencrypted form. An OS-protected local file, an OS-protected remote file, hardcoded in the source, etc.

The only way around that is to require a human to type the initial password at application start, which obviously isn't possible for applications which need to autostart.

Answer 3

This is a chicken-egg problem.
You will then need to to find where to store the password for the keystore and and so on.....

Depending on your security requirements and needs, you could enrypt the data using symmetric encryption and retrieve the password via a remote server (your server) using client side certificate authentication.

Or you could encrypt the data using symmetric enryption and have the password hardcoded in your jar, which is not safe but requires some effort to find it and you could delegate responsibility to the file system permissions on who can access your files.

Answer 4

Your problem is a common one. In linux, user passwords are stored in a plain text file. Although only the password hashes are stored, if an attacker gets access to that file, he will not take long to discover some password using an offline dictionary attack. In this case, the OS relies on file permissions to deny access to unauthorized users. In your case, it is not much different. You must configure the password file permissions properly and ensure the physical security of the server.