2

I've got a small app I wrote that takes a user-created, symmetric encryption key to encrypt files, and am unsure of how to work with the key inside the program.

To be clear, I don't want to store this key anywhere permanently, but obviously I need to pass it as a string or something, or else we can't do anything with it at all.

Some specific questions I have are:

  1. Is it safe to use the key as a string, or would something like a byte array be preferable?

  2. I would think that we would not want to save the decrypted files anywhere within the file system, which means they must be loaded up into the heap (or stack?). In order to do this, the key will need to be reused throughout the duration of the program. Should we avoid storing it as a class/instance variable?

  3. When we close out the program, what should we do with our key variable? Should it be manually overwritten?

Phantômaxx
  • 37,901
  • 21
  • 84
  • 115
Astrum
  • 591
  • 3
  • 12
  • 25
  • 1
    have look [Securely Storing Secrets in an Android Application](https://medium.com/@ericfu/securely-storing-secrets-in-an-android-application-501f030ae5a3) – Hemant Parmar Dec 22 '17 at 10:55
  • @HemantParmar I've read about the KeyStore before, but is it really better to use that than a user-generated key? I was really thinking a long the lines of how gpg works. The key you choose is not just for authentication, but does the actual encryption/decryption as well. – Astrum Dec 22 '17 at 11:17

0 Answers0