How to encrypt data using a private key/password that is itself encrypted?

Question

I want to encrypt some data (some simple text) using Java in a way that:

• I have to provide the encoding key/password once to the server the application will run on.
• The application can then encrypt data by itself, using the previously stored key.
• An attacker who would gain access to the server wouldn't be able to get the stored key.

In other words, I want my application to be able to encrypt some data by itself, without requiring the key every time, and I want this key to be encrypted itself (not stored in plain text) so an attacker couldn't get it.

What tools/technics can I use to achieve that?

Answer 1

An attacker who would gain access to the server wouldn't be able to get the stored key

This is generally a problem, mainly when having an encryption key next to your data. Once the key is leakt, nothing prevents the attacker to decrypt the data. You main task is preventing the attacker to get the access to the key in first place (I know, it's easy to say).

Seems you want to keep the key only in memory, that may be a good idea in many cases. When decrypting, at the end the key needs to be in the memory anyway.

I want this key to be encrypted itself (not stored in plain text)

Then you need to store and maintain an encryption key to encrypt the first key. And you have the same issue to protect both of the keys.

Suggestion:

I see often solutions using external services to manage the keys or do the cryptographic operations (a key vault, key management service, HSM, TPM,.. ). However - if an attacker gains full application-level access, he may use the same services to decrypt the data.

But at least if data are leakt (in my experience often backups or old copies are leakt), these services would help to make the data unaccessible.