Reputation: 96
.Net Core Store Private keys in AWS
I am implementing a secured system( using .Net Core 2.0 ) where there is a requirement of key pair ( public and private ) generation and transmit the public key to a recipient. At the moment I do generate the key pair( using the .Net Core Crypto library) and persist the private key in the DB. I need to host this in an AWS EC2 instance.
I know this is a bad practice(storing a private key in a DB) and I need to generate these keys in a secure vault ( AWS ? ) and persist the private key in the vault itself. The application needs to retrieve the corresponding private key when there is a requirement for decryption.
I went through many AWS docs but could not find a clear answer which caters my requirement. It would be great if someone can provide me with some clear instructions on how to achieve this.
Upvotes: 3
Views: 841
Answers (2)
Reputation: 11
You can try t-vault
https://github.com/tmobile/t-vault Its an open source tool built on top of hashicorp vault. It simplifies the secret management for applications.
Here is a quick demo
Upvotes: 1
Reputation: 1517
You are right in pointing out that self-storage of secrets in DB is a bad practice. Depending on the extent of functionality you wish to offer via your application, you could use one of the below AWS offerings:
AWS Key Management Service
In case you need the key generation as well as the key storage to occur in AWS, Key Management Service(KMS) is the closest match. Here is a link to the AWS KMS home page, along with documentation. Bear in mind that choosing this option will restrict the exact mechanism of key generation to whatever AWS offers out of the box. Also, the standard use case for KMS doesn't include generating keys in high volumes which could be a possibility for your application.
AWS Parameter Store
If you decide to include the key generation logic within your application, and leave the storing part to AWS then Parameter Store is the offering for you. In order to add a new key to a parameter store, you can do the following:
aws ssm put-parameter --name Generated_Public_Key --value "Generated_Private_Key" --type SecureString
When a client of your application requires a previously created private key by providing the public key, you can use the following:
aws ssm get-parameter --name User_Provided_Public_Key --with-decryption
Just a side note in case you decide to look outside of AWS, Microsoft Azure has an offering similar to Parameter Store called Azure Key Vault.
Upvotes: 5
Related Questions
- How do I store and access my third party API keys with AWS
- How to set credentials on AWS SDK on NET Core?
- CngKey.Import on azure
- How to generate and manage API Keys in ASP .NET Core
- How to store AWS Access Key and Secret Key in .Net Core API Securely
- .NET Core 3.x setting development AWS credentials
- ASP.NET Core on AWS Lambda - Data Protection keys store as Env Variable
- AWS Secret Manager with .Net Core throws socket exception
- KeyedHashAlgorithm in .net core
- get private key with dotnet core on linux