Asp.net and Encryption: Where to store the keys?

David · Sep 1, 2005

One thing that's always puzzled me about implementing encryption on
remote asp.net apps is where to store the keys. The demo code indicate
that you include them in a configuration file, but this would seem to
defeat the purpose. If someone obtained the configuration file and
they knew the encryption method, then they could decrypt your data.

Storing them hard-coded in the app is just as bad, since it can be
disassembled. Obfuscation could help, but the string would still be
obtainable.

So, my question is, how should encryption keys be handled?

Ideas? Pointers to good articles on the subject?

Thanks

Steve C. Orr [MVP, MCSD] · Sep 2, 2005

Ah, yes, you've stumbled across the question everybody wants the answer to.
But there is no one answer. If everybody stored their keys in the same
place then hackers would know exactly where to attack.
Here's an interesting thread on the topic:
http://www.issociate.de/board/post/247319/Encryption_Key_Storage.html

HOW TO: store keys?	0	Nov 2, 2006
Where to store the DB password in a asp.net app?	3	May 4, 2004
How and where to store a SecretKey	3	Jan 26, 2008
In Enterprise Library, Where to invoked the store procedure "GetPassword" to authenticated the user?	0	Sep 19, 2005
ASP.NET Membership Data Store and Administration Across Applications	2	Jan 18, 2007
Asp.net Important Topics.	0	Jan 18, 2007
How to Manager the ASP.NET Web Site Administration Tool	8	Jan 24, 2007
Problem running ASP.NET 1.1 and 2.0 apps on the same server...	2	Feb 18, 2006

Asp.net and Encryption: Where to store the keys?

David

Steve C. Orr [MVP, MCSD]

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads