Reputation: 606
Where to keep private keys in web deployments?
I am writing a web application which is exchanging signed xml over the web. My question is where to securely store my private keys and how to access them in my Java code? I am deploying on Google app engine cloud and my application can auto scale based on server load.
What are the industry best practices for doing this?
Upvotes: 3
Views: 273
Answers (1)
Reputation: 48267
Secure from whom? The NSA? Google admins? Script kiddies?
Ideally you buy an HSM and store them there. I don't know if GAE has an HSM. AWS does but it's not cheap.
You could also create a simple server with a very limited and locked down API and store your keys in it and get that server to sign stuff for you, without revealing your key.
Your next best option is to store your keys in a file or envar that can only be read by the user that your app is running as.
Upvotes: 2
Related Questions
- Storing public certificates and private keys safely
- How should I handle private key files in Google AppEngine for service accounts?
- GAE: best practices for storing secret keys?
- Where to store RSA private key for a (Spring Boot) Java AWS program
- How to manage google app engine service account private keys?
- Where to keep private keys and credentials for a web app?
- Where is the most secured place to store Amazon AWS Id and secret key?
- Where to store private keys for a continuous integration (CI) deployment?
- Java and Web development: good practices to store custom sensitive data such as private keys, API keys, etc
- Where to keep a GPG secret key for a Maven project in CI environment?