How should I store KEY from AES encrypt?

Question

How should I store the KEY from AES encrypt?

 SceAES secaes = new SceAES("pomboSenha", "G567EF33WQ19PL1S",12,45,256, "SHA1", "systemSCE");

"pomboSenha" is the secretKey above. Is it safe to mantain it hardcoded in a class?

score 1 · Answer 1 · answered Aug 09 '10 at 20:55

1

While it may be sufficiently safe to do so, the key will be resident in memory in the process using it. If this is a server process like w3wp.exe or some other service that is accessible from outside, then you are just putting it one step closer to the enemy's hands. Store the key on the filesystem, or in a database where there is another layer of authentication/authorization in front of it.

answered Aug 09 '10 at 20:55

matt-dot-net

4,204
21
24

1

Doesn't help that the key is just sitting there in the plain. The usual way is to get it as an array of bytes and then wipe that array in a `finally` block. – Steven Sudit Aug 09 '10 at 21:08

score 0 · Answer 2 · edited May 23 '17 at 12:12

0

You could use a SecureString: When would I need a SecureString in .NET?.

edited May 23 '17 at 12:12

Community

1
1

answered Nov 18 '13 at 17:21

Igor Ševo

5,459
3
35
80

score -1 · Answer 3 · answered Aug 09 '10 at 21:08

-1

I believe that the official right answer is to store the key in a CSP container, so that the account itself protects it.

http://msdn.microsoft.com/en-us/library/aa387043(v=VS.85).aspx

answered Aug 09 '10 at 21:08

Steven Sudit

19,391
1
51
53

How should I store KEY from AES encrypt?

3 Answers3