How to store a private key used in a web-app securely?

Asked Jul 08 '14 at 05:35

Active Jul 08 '14 at 05:35

Viewed 1,610 times

I'm using pycrypto to encrypt information from a web app before persisting it to a database.

I need to be able to retrieve the information later, so hashing isn't an option.

If my server is compromised, I assume key(s) stored are also compromised.

Is there a method, perhaps using an intermediary, to encrypt data (and store keys) securely?

asked Jul 08 '14 at 05:35

okoboko

Read [How to properly do private key management](http://stackoverflow.com/questions/1583553/how-to-properly-do-private-key-management?lq=1), the top answer describes a scheme with data encryption key which is protected by key encryption key which is stored on a separate physical box and is itself protected with a master key. – Oleg Estekhin Jul 08 '14 at 05:44
There are contradicting requirements: you need to make the key available/readable by your code (in automatic way), and on the other side you want to prevent reading the key by someone else visiting your machine. It might help to realize, both requirements cannot be satisfied at once. Any attempt to make reading the key from your code somehow "secure" will only result in much more complicated solution, which will not meet the other criteria anyway. – Jan Vlcinsky Jul 08 '14 at 07:07

0 Answers0