Storing persistent encryption keys

198 views Asked by At

Sensitive information stored in our database is stored encrypted.

My application needs a single global AES 256 encryption key. My boss suggests using the same key stored in a certificate used for our SSL. Mind you this application is not SSL related.

I'm wondering if this is a good idea? Maybe we should store a separate key in a database or in the Java backend code itself?

I hear SSL uses a variety of encryption methods and so the key used by SSL may not be compatible with the encryption we use, which is always AES 256?

Help appreciated

1

There are 1 answers

0
Maarten Bodewes On

Try storing it in a JCEKS key store instead. Key stores can be used to store keys. Note that you would need to protect it with a relatively strong pass phrase. It's tricky to automate access to a key.

Understanding how you can manage keys is called key management, and it is the topic of entire books.