There are some microservice which communicating with each other with rsa encrypted messages. The private keys are in files currently, what is the best practice to store the private and public keys in the containers? The current solution is in the /etc/ssl, but this is a little bit hard to manage and not to safety.
I don't know your exact use case but you could consider taking a look at Hashicorp Vault. It has a PKI secrets plugin which lets you storing public/private key pairs. If it fits your use case this might be a good read, as at least someone else has thought about storing it securely.
The nice thing about vault is that in theory (this depends on the plugin that's being used) you could create a situation where the private keys are completely managed by vault and your messages are being authenticated with the vault. This will make it hard for an attacker to get your private keys. However, you might end up needing to write your own vault plugin to get this completely working with your application.
Related
Hello to all
I did a lot of research on encrypting important data such as credit card numbers in Spring Boot, and three ways to securely encrypt data caught my attention:
Protect secrets with Hashicorp Vault
Column-level encryption
Data Encryption with Java Cryptographic Extensions
All three methods have their advantages and disadvantages. The initial setup of the vault requires a lot of configuration, and I could not find a complete and integrated source for learning it. Column-level data encryption imposes a large processing load on the server, and requires the management of cryptographic keys. The third case requires the creation, management and maintenance of encryption keys for each client request. Is there a better choice for managing sensitive customer data such as email addresses or credit card numbers? Or is it recommended to use Vault to manage the secrets of website users?
Can I encourage you to take a look at our product. I don't want this to be a shameless plug but as a developer who has felt your pain, I think you would want to take a look at what we have. We have designed it to address some of your concerns. ubiqsecurity.com.
To address your specific considerations.
MUCH easier than setting up Hashicorp Vault. We have demos of creating an account and sharing encrypted data in two different languages within 5 minutes. The demos should help you get started if necessary but I wouldn't expect you to need them. Our client libraries also have fully functional examples to help you get started.
This seems to be the reason DBAs are hesitant to turn on encryption within the DB layer. We are leaving the encryption at the application layer. If your encrypted DB is up and running and someone is on the DB server with harvested credentials is your DB really secure?
We manage encryption keys for you. Client uses an API key (similar to other SaaS). Data is encrypted on the client.
Please feel free to reach out to us if you have any questions. Again, not trying to be a shameless plug, but we know the problems developers face when working with encryption and feel our solution addresses a number of the issues you are facing as well as others you haven't even mentioned.
I'm working on a Go peer-to-peer chat service to be used in Hyperboria, which operates as a meshnet. That is relatively unimportant compared to my problem:
I need to use OpenPGP keys existent in user's GPG keyrings in order to encrypt and decrypt messages. I need to be able to discover public and private keys, check that given key IDs are present, and use them to either encrypt or decrypt []byte, (either before or after it goes across a TCP connection)
Is there a package that I could look into to do this?
You should check out the go.crypto packages particularly the ones in: http://code.google.com/p/go/source/browse/?repo=crypto#hg%2Fopenpgp
It's the most likely to have what you are looking for.
Just curious - is there any risk in using a public/private key obtained from ReCAPTCHA for intended use only on one domain, but then we ending up using it for another one.
I intended to obtain it for a specific domain, but mistakenly took the public/private key as a 'global key':
This is a global key. It will work across all domains.
Is it a 'bad thing' to use 'global keys' as opposed to one for a specific domain?
This question was about the general subject of Google recaptcha public and private key. In one of the answers https://stackoverflow.com/q/5839628/321143 your question, about the safety of using the same key for more than one website, is addressed. It seems to be okay to do so:
Yes that's perfectly ok to use the same key pair for both local
testing and server deployment (as long as you keep your private key a
secret).
and
I personally use same pair of keys at 3 of my seperate web sites + at
my home computer at localhost:80 for testing purposes. They all work
very well
we are saving user data on a server and we want to do save this data encrypted with TrueCrypt.
If a user registers, we generate an asymmetric key for him that is encrypted with his password. This asymmetric user-specific key will encrypt all the keys that are used for services, including the above mentioned data encryption.
If we now want to read the users files, add new and modify existing ones from within our Java Application running on a Application Server, should we mount the TrueCrypt container?
We think that it might be a security leak as an attacker could easily look in the mounted container, but we also have no other idea - we are kind a stuck!
I am sure someone can help us here.
Thanks,
Heinrich
#edit By the way, we are using Spring for your Java App.
I don't think it is a good idea to use TrueCrypt for this usecase. When using TrueCrypt you have no other choice than mounting it on each request to encrypted files. You should think about using plain Java encryption and do encryption and decryption yourself. There are libraries like Google Keyczar that may help you implementing this.
I am writing a program that is meant to be used over a local wifi network. With the intention of providing some security, I am considering to have devices connect over local https. Is it considered to be common practice to generate one self signed key pair using openssl, then distribute a software package that uses that exact same private and public key?
I would say no, because the key can be extracted from the software package, and the data can be decrypted.
You should generate a key after installing the package, so that it would be unique to the installation.
Private key must be used only by person who created it. If you distribute private key to any other side it becomes compromised and you can't guarantee any security with utilizing this key.
So the answer is: you should generate key pair on each client and distribute only public keys. And even in this case you should understand that there is a risk of "man-in-the-middle" attack.