1

I'm using the solution presented in this QA: https://stackoverflow.com/a/2791259/2713516

However, I see some people storing the key (random 'password') in the code as a field, but I'm wondering if this is actually a good idea. The salt used in that solution is also a field in the class.

Some suggest to use the users password, but since that can change I dont think that's a good idea.

So my questions are. Is storing the salt in the class as a field like presented in the mentioned solution ok? What should I use for a encryption/decryption key? (some random key for all users)? Where should I store this key? In the class as a field? in the database?

Thanks!

Community
  • 1
  • 1
user2713516
  • 2,983
  • 5
  • 23
  • 49

1 Answers1

0

Personally I would store the key in the configuration file for the application. Either the app.config file, or the web.config file (depending on whether its a desktop or web app).

<add key="EncryptionKey" value="MY_KEY" />

I would generate the key using some random string generator.

Do you anticipate having to change the key often?

Also -- for the production transformation of your web.config, I would recommend leaving the encryption key out of your SCM solution (GIT, SVN, etc). I keep all of ours in a separate KeyPass database.

Jeremy Noonan
  • 54
  • 2
  • Isn't that just as 'safe' (or unsafe) as storing it in the code? Where the code is easier IMO. I don't see why I would change the key at any time. – user2713516 Feb 10 '14 at 20:17
  • 1
    Storing it in the code means that anyone working on your code with you will know what the encryption key is. By moving it out to config, you have the ability to hide this from other developers that may be working on the project, but do not require access to the production encryption key. It also makes it easier for you to use separate keys in different environments, or to change the key if you think it may have somehow became compromised. – Jeremy Noonan Feb 10 '14 at 20:19
  • Thanks, I decided to have the key partially in code, and partially in a file I remove from the server after reading it and keeping the composed key in a static field (in memory) – user2713516 Feb 10 '14 at 21:39
  • @O.O - Interesting read, definitely good to brush up on my Microsoft security best practices. How do you feel about the default storage for the ASP.NET Forms Auth Encryption Key (the machine key) being in the web config? Perhaps an oversight by Microsoft? – Jeremy Noonan Feb 11 '14 at 12:33
  • @JeremyNoonan - I think M$'s point is that if you store sensitive information in a web.config or app.config, you should encrypt that config section and also to attempt to restrict access to the file via permissions or w/e. – O.O Feb 11 '14 at 16:32