0

Sensitive information stored in our database is stored encrypted.

My application needs a single global AES 256 encryption key. My boss suggests using the same key stored in a certificate used for our SSL. Mind you this application is not SSL related.

I'm wondering if this is a good idea? Maybe we should store a separate key in a database or in the Java backend code itself?

I hear SSL uses a variety of encryption methods and so the key used by SSL may not be compatible with the encryption we use, which is always AES 256?

Help appreciated

Wes
  • 1,183
  • 3
  • 23
  • 51
  • 3
    An SSL certificate does not contain a symmetric key. It contains a public key. These are generally RSA keys and can range from 1024 to 4096 bits; none of which are suitable for an AES256 implementation requiring a 256 bit seed key and a 256 bit initialisation vector. This is because an SSL certificate is used to authenticate servers and provide a means of communication via *asymmetric encryption*, whereas AES is symmetric. – christopher Nov 13 '14 at 19:30

1 Answers1

0

Try storing it in a JCEKS key store instead. Key stores can be used to store keys. Note that you would need to protect it with a relatively strong pass phrase. It's tricky to automate access to a key.

Understanding how you can manage keys is called key management, and it is the topic of entire books.

Artjom B.
  • 61,146
  • 24
  • 125
  • 222
Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263