How to store keys
Guys, hello, I asked myself this question. How to store keys as securely as possible? Simulating the situation, I have an application and it has certain files encrypted using a certain key, how to store the key itself. I refuse that the client will have the key and will enter it. The application will not have access to any external database until it passes this step with encrypted files, and the application, for example, will be available on the network, in which case I refuse to store it in
env. How and where are keys stored in such cases?2 Replies
you can search for
secrets management, like https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html
usually you keep a specific service (cloud or local) that has keys, credentials, and so on
then you decide how much security you want for the services that access that to recover stuff
so you could have ip whitelisting, some kind of digital certification checking, and so onSecrets Management - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
Yeah, you'd need to supply more information about the setup, there's a lot of things you can do
- Keyvaults
- Environment variables
- Config files
- Certificate based key encryption
Depends on your requirements