I am writing a web application which is exchanging signed xml over the web. My question is where to securely store my private keys and how to access them in my Java code? I am deploying on Google app engine cloud and my application can auto scale based on server load.
What are the industry best practices for doing this?
Secure from whom? The NSA? Google admins? Script kiddies?
Ideally you buy an HSM and store them there. I don't know if GAE has an HSM. AWS does but it's not cheap.
You could also create a simple server with a very limited and locked down API and store your keys in it and get that server to sign stuff for you, without revealing your key.
Your next best option is to store your keys in a file or envar that can only be read by the user that your app is running as.
