Where to store encryption passwords

Question

I get the reasons for security and encryption. But I'm really confused on how to set it up or use it.

I'm working on encrypting passwords our application uses to access the database and other third-party APIs. I'm working under the assumption that plain text passwords should be avoided at all costs. But I'm starting to feel like I'm chasing my tail locking everything down.

I've decided to encrypt the passwords with AES encryption, and use a KeyStore to store the keys. From what I've found so far, this seems like a pretty standard solution.

The applications I'm trying to secure are web applications that are hosted on a Tomcat server. My intent was to configure the Tomcat JVM parameters to include the path the KeyStore and the KeyStore password. Then each application could get a handle on the KeyStore with this:

String keystorePath = System.getProperty("keystore.path");
String keystorePassword = System.getProperty("keystore.password");
KeyStore ks = KeyStore.getInstance("PKCS12");

try (FileInputStream fis = new FileInputStream(keystorePath)) {
    ks.load(fis, password); 
}

Then each application would be responsible for knowing key aliases of the keys they need. But now I've got this keystore password in clear text. Going back to the assumption that plain text passwords are bad, what do I do about this password? Even if I move these to environment variables both the location of the keystore and the password to access it are stored in the same place. That feels foolish to me, but what can I do about it?

To make matters worse, the KeyStore recommends using passwords for each key. So then where do those get stored? Decrypted by a second keystore?

I feel like I'm going down an over-engineered death-spiral.

  • Is there an accepted/recommended solution for this?
  • How do I justify when it's 'secure enough' even though I still have a plain text password?

tl:dr - I've encrypted my passwords, but now my passwords have passwords and I'm back to the same problem!! Help!!


Show source
| java   | security   | encryption   2017-10-04 22:10 0 Answers

Answers to Where to store encryption passwords ( 0 )

Leave a reply to - Where to store encryption passwords

◀ Go back