13

I am creating a web application with ASP.NET MVC, And I want to store some password into database.

The passwords must be recoverable. (They are not for myself, I need passwords to communicate with an API, which needs the real password) So I can't use hash algorithms or such.

I have found that AES is a good encryption algorithm for me.

But, the problem is: where to store AES key? Is storing in appsettings inside web.config enough? How to make the key harder to find (for hackers)?

And the next question: Any ideas to make this system safer?

Mahdi Ghiasi
  • 14,873
  • 19
  • 71
  • 119
  • Of course you can encrypt a key with another key, then encrypt that key with yet another key ad nauseum. But it pays off to think what you are trying to achieve, and that is to restrict access to information. There are oodles of method of accomplishing this, and most of them are not about encryption. – Maarten Bodewes Sep 14 '12 at 18:08
  • So, What way do you recommend? Is storing the key in web.config and encrypting web.config enough? – Mahdi Ghiasi Sep 14 '12 at 19:43
  • Yes, that could certainly be part of your *key management* scheme (hence the comment). I was just making sure you are not just looking at encryption mechanisms. Where are you going to the key that decrypts `web.config`? Who's got access to it? – Maarten Bodewes Sep 15 '12 at 08:24
  • Currently, I'm storing the key of passwords in `appsettings` in web.config, and then encrypting web.config using the asp.net built in method. (See this: http://stackoverflow.com/questions/54200/encrypting-appsettings-in-web-config ), But I want to make this process safer. – Mahdi Ghiasi Sep 15 '12 at 10:25

1 Answers1

3

It is possible to encrypt sections of .config files. Here is the msdn documentation on the subject, although you will find other walkthroughs online as well.

recursive
  • 83,943
  • 34
  • 151
  • 241