CODEWITHSUNDEEP
javasecurityencryptionkeystoresecret-key
user2019260
user2019260

Reputation: 153

How Can I Securely Store a SecretKey?

I'm building a basic webapp that takes in a user input and returns an encrypted password.

Problem is, currently the SecretKey I am using is stored in the src for the Java class. To me, it seems this is risky practice so I'm trying to find a way to safely store my SecretKey.

Doing some research, I found the Java KeyStore class but I'm not entirely sure if this is what I need. Also, if this is what I need, can you guys point me in the direction of how to implement it, and more importantly, how it works?

Thanks

Edit: From doing a lot of thinking/reading it seems like there really isn't a great solution and really a solution isn't needed so long as your main server is secure, which mine will be, so it's not an issue.

Thank you for all the replies! :)

Upvotes: 1

Views: 787

Answers (2)

Chris
Chris

Reputation: 1306

If you are talking about your encryption key, then there is no secure way to store that key safely in JavaScript. I guess the storage you are talking about its the browsers local storage, which is nothing more then a persistent cookie on browser side. Everybody that uses the chrome WebInspector or Firefox Firebug can easly read this store for any page he is visiting. Furthermore, you would have to save it in this store by JavaScript and as everybody can read your source code in the browser, its even more obvious.

The only possibilty to do such things safely is Server-Sided, like with PHP for example. If you though want the feeling of interactive behaviour, you can use AJAX on clientside to interact with the backend.

EDIT: Ah, I think I got you wrong as you are talking about Java in Backend? If yes I think there is no Problem when u have the key hardcoded in your compiled sources??? If you want to store it somewhere else and are afraid someone uses it, you could salt and hash it in your application before you use it for key generation (of course the salt is hardcoded then)?

Upvotes: 0

ams
ams

Reputation: 62772

Passwords should be stored using one way hash functions that way your system avoids this problem. See https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Upvotes: 1

Related Questions