Re: secure storage of sensitive data in J2EE
From: Sean Radford (sradford_at_bladesystems.co.uk)
Date: Tue, 25 Jan 2005 19:06:07 +0000 To: chaim moshe <email@example.com>
chaim moshe wrote:
> Hello list,
> where can I store sensitive data like encryption keys, passwords,
> etc. in J2EE?
> surely, you can save it in the keystore, but the catch is where do you
> store the keystore password to protect it from external access?
> storing the keystore password in code or in config files is not
> secured enough.
> In the .NET environment you have DPAPI that was designed exactly for
> this kind of problem, the sensitive data is encrypted at the OS level
> with the user/machine password and is decrypted at runtime.
> What is the solution in the J2EE environment ?
On 'Nix you can set the file permission to read for only the application
server. That way only the account the application server runs under can
access it - not even root if you have Mandatory Access Control running.
-- Dr. Sean Radford, MBBS, MSc firstname.lastname@example.org http://www.aegeus-technology.com/ Distributed Identity Management Solutions