0

I am currently working on an application ASP.net MVC5 hosted in Microsoft azure in which I need to stock numerous passwords. I think I can not use the hash because I need to be able to get the password. For the encryption/decryption of these passwords I thought to use the RijndaelManaged class which seems to be safe.

The problem is I do not know how to store the key for this encryption/decryption in order to have an application as safe as possible. I have seen several topics on that, but we see anything and everything. Should I stock the key in the implementation, in the database, in a conf file or in a blob azure (or something else) ?

Fabaud
  • 141
  • 2
  • 11
  • Off topic comment: `I think I can not use the hash because I need to be able to get the password` - I watched a Pluralsight video by Troy Hunt on "Secure Account Management Fundamentals" and one key take away from that was ... `if you can decrypt the password, then somebody else also can`. – Gaurav Mantri Apr 21 '15 at 17:42
  • I took the part about "stocking numerous passwords" to mean they were not user account passwords, but passwords for external things, similar to a password manager where you eventually need to view them. – mfanto Apr 21 '15 at 19:15

1 Answers1

0

There's really no safe way to store keys and have them accessible to a web app. That being said, the "safest" way is to use the Azure Key Vault. It's a FIPS-140 Level 2 certified HSM, and can perform crypto operations without your application needing access to the keys.

Of course, this only marginally improves security if your application can just request any decryption that it wants (if an attacker compromises the app, they can issue the requests themselves). But at the very least, the physical medium is protected, and you're shifting the actual crypto operations to a secure environment. It's also more likely to meet regulatory requirements, as opposed to storing keys raw in a config file.

A simple tutorial showing example code can be found here

mfanto
  • 14,168
  • 6
  • 51
  • 61
  • Then where do you store the clientSecret used to get the OAuth token to access the Key Vault? – BenV Apr 21 '15 at 18:56
  • Ultimately there's no way to have perfect (or maybe even good) security with an online key store that the application can make arbitrary requests to. Key Vault is the best solution for storage and crypto processing, and then how you handle the authentication token depends on your use case (whether it's single use and then discarded, or whatever). – mfanto Apr 21 '15 at 19:14
  • Thank you for your answer. I think I will use Key Vault. – Fabaud Apr 22 '15 at 13:54