0

for a legacy project, I need to encrypt/decrypt emails by calling a function in the database(oracle) from the java application.

However, for encryption or decryption I need to pass the key, and I am thinking how to secury store the key. I dont want they key stored in the database but in the application somehow.

I want to store it somewhere in tomcat, but I am not very familiar with tomcat. I found this post: Where to place and how to read configuration resource files in servlet based application?

What do you think, where should I store it?

Norbert94
  • 173
  • 2
  • 17
  • Are you doing this in your free time, or within an enterprise environment? There may be security policy that addresses questions like these. The question of what would work best largely depends on your requirements and the scope of the project. Personally, I would store that key within the file system assuming that the server is secure - less likely to lose the file in the event of application issues. – 1991DBA Oct 30 '17 at 17:23
  • Maybe, you should not store a key : Just generate a hash value and ask the user to input a password/key. If the hash of the enterered key is equal to the one in your storage, you can decrypt the emails using the entered key, and afterwards, you can delete the key in RAM. Or you store the key encrypted, and the user has to enter a password as I mentioned to decrypt it. – Luatic Oct 30 '17 at 17:24
  • user7185318 I am quite limited, therefore I cannot implement your idea, which would of course be more secure. @solllodolllo My problem is that I don't know where to store it explicitily in tomcat? in which file? the application will be deployed in different environment, so where in the war-file would it be more secure? I am not familiar with Tomcat – Norbert94 Oct 30 '17 at 17:34
  • That all depends on your implementation of tomcat. But it's important to note that nothing about this is secure - user7185318's recommendation is right, this kind of thing should never really be implemented in a real system. If you are worried about how it will deployed in different environments, I'm guessing that you are in an organization that has a team to manage them. I would start by reaching out to the team responsible for Tomcat to start getting those answers - they may tell you that you can't place the file there. – 1991DBA Oct 30 '17 at 17:47

0 Answers0