thoughts on managing encryption keys

  • Any suggestions on how to hide the encryption key for a server side implementation of encryption on a SQL 2000 server? For example, store it in a registry key vs. a database table. What works best, what's most secure?

  • There's no great "secure" option on the db server. I'd look at a third party product as they have dealt with this before and made lots of mistakes.

  • Saving keys anywhere in any form introduces some vulnerability ... but you can make it difficult for an attacker by making it as unobvious as possible - embed it in something, add garbage or encrypt the key itself, obfuscate (eg switch bytes) or split it into various locations (some bytes in the registry, some in a table, some in an ini file). However, anyone who has access to your code is going to have access to the key.

  • If you are using Microsoft's Crypto API to do all your encryption, use the certificate store.


    Julian Kuiters
    juliankuiters.id.au

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply