0

I have a public key of customer that I need to use to encrypt credentials and send to the customer to obtain an auth token that I will be using for all further communication with the customer services.

For testing purpose, I saved the public key into a file and I am able to successfully obtain the auth token.

Now, the question is, where do I need to store this key safely. Options that I can think of are web.config as it is not browsable, or keep it in a file. Both seems to be unsafe.

If I keep it in a file, can I save it into windows trusted store? If yes, how can I save it and since in the trusted store, I will have multiple such keys, how I will retrieve this particular key to encrypt the credentials next time when I need to encrypt.

I am using windows machine for production server and .NET to encrypt, just in case it makes difference.

user2861226
  • 169
  • 13
  • 1
    Since it is a public key there should be no cause to be concerend about safe storage - no one should be able to do any harm if he gains knowledge of the key. – piet.t May 11 '18 at 12:29
  • @piet.t You are absolutely correct. What is best way to keep it. Should it be in a web.config file, or a physical file, or database. What is the best practice. – user2861226 May 11 '18 at 12:31
  • Are you trying to re-invent TLS ? – Gautam May 13 '18 at 18:11

1 Answers1

0

I think you can encrypt this certificate with another rsa key pair. Save key and encrypted data in different platform. For example save encrypted data in db and save rsa key in file system in protected folder. Protected folder can be user directory which has application user. Encrypt certificate out of the platform with separate tool. Don't save your rsa private key in application system.

mkysoft
  • 5,392
  • 1
  • 21
  • 30