3

I am implementing a secured system( using .Net Core 2.0 ) where there is a requirement of key pair ( public and private ) generation and transmit the public key to a recipient. At the moment I do generate the key pair( using the .Net Core Crypto library) and persist the private key in the DB. I need to host this in an AWS EC2 instance.

I know this is a bad practice(storing a private key in a DB) and I need to generate these keys in a secure vault ( AWS ? ) and persist the private key in the vault itself. The application needs to retrieve the corresponding private key when there is a requirement for decryption.

I went through many AWS docs but could not find a clear answer which caters my requirement. It would be great if someone can provide me with some clear instructions on how to achieve this.

Zara Khan
  • 134
  • 2
  • 16
user3496510
  • 96
  • 8

2 Answers2

5

You are right in pointing out that self-storage of secrets in DB is a bad practice. Depending on the extent of functionality you wish to offer via your application, you could use one of the below AWS offerings:

AWS Key Management Service

In case you need the key generation as well as the key storage to occur in AWS, Key Management Service(KMS) is the closest match. Here is a link to the AWS KMS home page, along with documentation. Bear in mind that choosing this option will restrict the exact mechanism of key generation to whatever AWS offers out of the box. Also, the standard use case for KMS doesn't include generating keys in high volumes which could be a possibility for your application.

AWS Parameter Store

If you decide to include the key generation logic within your application, and leave the storing part to AWS then Parameter Store is the offering for you. In order to add a new key to a parameter store, you can do the following:

aws ssm put-parameter --name Generated_Public_Key --value "Generated_Private_Key" --type SecureString

When a client of your application requires a previously created private key by providing the public key, you can use the following:

aws ssm get-parameter --name User_Provided_Public_Key --with-decryption

Just a side note in case you decide to look outside of AWS, Microsoft Azure has an offering similar to Parameter Store called Azure Key Vault.

ThePretendProgrammer
  • 1,449
  • 10
  • 16
1

You can try t-vault

https://github.com/tmobile/t-vault Its an open source tool built on top of hashicorp vault. It simplifies the secret management for applications.

Here is a quick demo

varadhan
  • 11
  • 1