I've just written a small class to handle AES encryption for a web-based
application. I need to store the key and IV somewhere so that I can use it
consistently across my application. My thoughts on this are:
1) Store it in the database - Pointless. If the database is compromised, the
hackers have the encrypted data AND the key/iv.
2) Store it in web.config - Something about storing it in clear text just
doesn't sit well with me. :)
3) Store it as a constant in the AES class itself - Can be reverse
engineered.
4) Encrypt the key/iv and store in one of the above locations. Well, now I
need to protect the encryption for THAT. Back to Step #1. :)
So what's the best practice here?
application. I need to store the key and IV somewhere so that I can use it
consistently across my application. My thoughts on this are:
1) Store it in the database - Pointless. If the database is compromised, the
hackers have the encrypted data AND the key/iv.
2) Store it in web.config - Something about storing it in clear text just
doesn't sit well with me. :)
3) Store it as a constant in the AES class itself - Can be reverse
engineered.
4) Encrypt the key/iv and store in one of the above locations. Well, now I
need to protect the encryption for THAT. Back to Step #1. :)
So what's the best practice here?