Security: saving encryption keys in web.config or code

Question

I've got a small security question. I'm using RijndaelManaged class to encrypt a string (see first answer in this thread: https://social.msdn.microsoft.com/Forums/vstudio/en-US/d6a2836a-d587-4068-8630-94f4fb2a2aeb/encrypt-and-decrypt-a-string-in-c or this question: How to protect encryptor parameters themselfs).

This works well. However, now the question arises whether or not I should save the PasswordHash, SaltKey and ViKey in code or in the (unencrypted) web.config.

The only reason why I would save them in the web.config is the ability to change the values of the keys based on the DTAP environment. The D, T and A environments are obviously not generally accessible.

My question therefore is: What is more secure? Saving the keys in the web.config or in code? Are there any security issues I should look after?

Answer 1

I would definitively recommend to store in the web.config. Things in code will get checked in to your source control system, where it's hard to keep them secret.

You can even encrypt certain settings in your web.config using the machine key, making it much harder to steal.

See this article for more information.

Answer 2

In theory saving it in code is more secure, as the web.config can be read with a simple text-editor, but the compiled code needs the be interpreted somehow, e.g. a decompiler, to get to the strings.

BUT as soon as someone breached your server that far that he/she can view ANY of those two any real level of security is already lost. Meaning practically speaking they are on the same level of security.
Based on that I would save them in web.config (or the database), because code is no place to store non constant values.