Secure storage of private key [closed]

Question

Closed. This question needs to be more focused. It is not currently accepting answers.

---

Want to improve this question? Update the question so it focuses on one problem only by editing this post.

Closed 9 years ago.

Improve this question

We want to store our passwords for FTP, websites, databases, etc. You can compare our software to keypass but we wanted to do our own solution. The passwords will be encrypted and stored in a database. We can't use checksums because we need to show the passwords in plaintext.

The problem is that we couldn't find a good solution to store the private key. If it's written in the code, you can get it quite easily. If it's hidden in a dll, you can't hide it effectively, because the machine has to use it. All users of our software have full access to the source code, the database with the encripted passwords and are admins on their PCs, so they could read the code when it's used.

We thought about storing the private keys in a seperate database which is accessed with another password but the key will be used anyway.

So, we're not getting anywhere. We are aware that there is no 100% save solution for this but there got to be an almost safe one.

Answer 1

First i would advise against writing your own solution, there are so many ways to do it wrong, and you need to invest a lot of time to know about all important points.

You don't need to store a key anywhere, just use the key to encrypt the data then forget the key. For decrypting you use the key as entered, if the key is correct you get back the data, otherwise you get back scrambled content.

Because users do not like to type strong keys and prefere passwords, you should use a key-derivation function like BCrypt or PBKDF2 (Password-Based-Key-Derivation-Function-2), which can translate a password to a key.