Encrypting String inside Code (JAPH)

Question

I don't even know if it's possible.

SCENARIO:

I have a master key for a KeyStore inside my Code. Something like

private static final char[] pwd = "password".toCharArray();

I have to protect my "password" also in decompiling. I mean, at least, try to have something like JAPH

I perfectly know that it's quite impossible to make my password secure and unreadable, but at least, I'd like to make as hard as possible.

Answer 1

First method is to distribute password in separated file and read them at runtime via Properties API. Easy and simple. If you add some base64 encoding to that it will protect you against script kids. Publishing source code will only expose method of storing password. Of course leak of code and file is still problem.

Second method is very similar. Save password as environment variable and read them via System.env. In this case to know password attacker need to access to OS to read password. That makes it a little bit more complicated.

Third method is to two-step password. First password that you store using 2nd method is password to AES encrypted file that contains main password.

In our project we use 2nd method. It protects us exposing password if code leaks (somehow), however if someone breaks server security then... then we will have much more serious problem than leaked password.

ps. you could try to play with Honey Encription to make it little harder. Attacker will not know that he has valid password or just something that only looks like.