Protecting RSACryptoServiceProvider private key with password or otherwise

Question

I want to encrypt some server data using .NET's RSACryptoServiceProvider and decrypt it when someone enters a key/password via a web page. What are my options for protecting, or ideally not even storing, the private key on the server, whilst avoiding having the user supply it all each time?

• Encrypt the private key using a symmetric system and have the user supply the password for that?
• Store most of the private key on the server but have the user supply N characters of it?
• Store it in the server's MachineKeyStore and use a secret KeyContainerName as a password?
• Use CspParameters.KeyPassword in some way which works over the web?
• Something else?

Answer 1

Other than the hardware approach (HSM or Smartcard), you pretty much have to use one secret to protect another secret. So you keep adding password. My suggestion is to use DPAPI,

http://en.wikipedia.org/wiki/Data_Protection_API

With this approach, you don't create yet another password. User experience is also better because they only have to type in password once at login.

Answer 2

Your best option will be to store the private keys in a Hardware Security Module protected by the password with the HSM ensuring that the key is not usable without the password.

If an HSM is not an option (they are quite expensive after all), you should derive a symmetric key using PBKDF2 or a similar strong system an encrypt the private key with that. Using the CSP's password-protection is also an option, but it is somewhat less transparent exactly what is going on, and you have to take care to avoid having the key accesible to domain-administrators etc.