Re: secure storage of sensitive data in J2EE
From: Sean Radford (sradford_at_bladesystems.co.uk)
Date: 01/25/05
- Previous message: bsec_at_cotse.net: "J2EE Security Training"
- In reply to: chaim moshe: "secure storage of sensitive data in J2EE"
- Next in thread: Steve Taylor: "Re: secure storage of sensitive data in J2EE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 25 Jan 2005 19:06:07 +0000 To: chaim moshe <xor256@hotmail.com>
chaim moshe wrote:
> Hello list,
>
> where can I store sensitive data like encryption keys, passwords,
> etc. in J2EE?
> surely, you can save it in the keystore, but the catch is where do you
> store the keystore password to protect it from external access?
> storing the keystore password in code or in config files is not
> secured enough.
>
>
> In the .NET environment you have DPAPI that was designed exactly for
> this kind of problem, the sensitive data is encrypted at the OS level
> with the user/machine password and is decrypted at runtime.
> What is the solution in the J2EE environment ?
>
> Thanks!
>
On 'Nix you can set the file permission to read for only the application
server. That way only the account the application server runs under can
access it - not even root if you have Mandatory Access Control running.
Regards,
Sean
-- Dr. Sean Radford, MBBS, MSc sradford@aegeus-technology.com http://www.aegeus-technology.com/ Distributed Identity Management Solutions
- Previous message: bsec_at_cotse.net: "J2EE Security Training"
- In reply to: chaim moshe: "secure storage of sensitive data in J2EE"
- Next in thread: Steve Taylor: "Re: secure storage of sensitive data in J2EE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
