3

I'm developing web application on Java, spring, JDBC, which is deployed on Tomcat 7. I'm making encryption/decryption of a data-source password using private key.

Now I have this private key hard coded in Java code. But I have to save private key in more secured place. How can I do this?

Is it a good idea to generate certificate (key-store, key-pair), install it on tomcat and retrieve this data from java code?

JiboOne
  • 1,438
  • 4
  • 22
  • 55
  • Use a keystore. You can put a password on the private key and a separate password on the keystore file. Check my answer on this question for some code: http://stackoverflow.com/questions/14272842/open-x509-certificate-store-from-java-apis/14273320#14273320 – nablex Jan 14 '13 at 06:22

1 Answers1

1

Thats a problem you cannot easily solve. If you store your key in a keystore you will need a key to access the keystore and where do you store this?

If this is really a high security application the only way is to use a dedicated hardware security box for doing the decryption.

Henry
  • 42,982
  • 7
  • 68
  • 84
  • What do you mean in using a dedicated hardware security box? Should I save my keystore in dedicated secured storage? – JiboOne Jan 14 '13 at 08:01
  • For high security yes, but most probably your application does not need that level of security because then one would rather encrypt the sensitive data already in the database. – Henry Jan 14 '13 at 08:27