N
Nobody
I'm new to ASP.NET, so I'm trying to write a simple store front to get me
into things. Obviously with users and such, I need to encrypt the passwords.
No problem there. I wrote a little encryption / decryption routine to
provide a 2 way mechanism (to allow for emailing users the passwords). I'm
using TripleDESCryptoServiceProvider with the EncryptedXml class.
Anyways, I end up with a string (base-64 encoded version of the encrypted
password). I store the encrypted version of the string in a SQL database as
a varchar type.
Now the question is, where can I store the decryption key? I can't store it
in the Session or Application objects for obvious reasons. I need to have
the same key for decrypting even if the server is shut down.
I was storing it in the registry, under HKLM\Software\MyCompany, but somehow
while googling tonight, I stumbled onto the fact that in a deployed real
world environment, the web site is going to run under the ASPNET user which
wouldnt have access to the registry key, but the development server runs
under my own user account which does.
Should I be storing it in the registry? or in the database? or where? I kind
of frowned upon storing it in the same place as the encrypted passwords, so
if a hacker compromised one place or another, he wouldn't have the plaintext
passwords.
A file of some sort in the App_Data directory seems equally hokey.
NOTE: Basically the key is generated by the DES provider the first time a
string is encrypted. That key is stored in the registry and used from then
on.
Any insight on where the keys should be stored would be appreciated.
into things. Obviously with users and such, I need to encrypt the passwords.
No problem there. I wrote a little encryption / decryption routine to
provide a 2 way mechanism (to allow for emailing users the passwords). I'm
using TripleDESCryptoServiceProvider with the EncryptedXml class.
Anyways, I end up with a string (base-64 encoded version of the encrypted
password). I store the encrypted version of the string in a SQL database as
a varchar type.
Now the question is, where can I store the decryption key? I can't store it
in the Session or Application objects for obvious reasons. I need to have
the same key for decrypting even if the server is shut down.
I was storing it in the registry, under HKLM\Software\MyCompany, but somehow
while googling tonight, I stumbled onto the fact that in a deployed real
world environment, the web site is going to run under the ASPNET user which
wouldnt have access to the registry key, but the development server runs
under my own user account which does.
Should I be storing it in the registry? or in the database? or where? I kind
of frowned upon storing it in the same place as the encrypted passwords, so
if a hacker compromised one place or another, he wouldn't have the plaintext
passwords.
A file of some sort in the App_Data directory seems equally hokey.
NOTE: Basically the key is generated by the DES provider the first time a
string is encrypted. That key is stored in the registry and used from then
on.
Any insight on where the keys should be stored would be appreciated.