Safest way to store an encryption key?

From: Daniel Garcia (dgarcia@openwebs.com)
Date: 10/30/02


From: "Daniel Garcia" <dgarcia@openwebs.com>
Date: Wed, 30 Oct 2002 13:48:29 -0500


Hi all,

My ASP.NET application needs to encrypt a small amount of information before
sending it to the database. I also need to decrypt the info so the
application can do useful things with it (so hashing will not work). The
purpose of this encryption/decryption is to make it hard to just "take a
look" into the database tables and see the confidential information.

Basically I need, to the extent possible, that only the application is able
to decrypt the data (the application knows who can see what). What would be
the safest place to store the encryption key?

I am currently thinking to use the private key of a certificate issued to
the account under which the application runs. The certificate would be on
the certificate store. Is this a viable option? If so, any examples on how
to do this?

Thanks,

Daniel Garcia