How do I store a Java KeyStore password?
https://stackoverflow.com/questions/3038608
-
27-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
In my web application I access a private key that is stored in a Java KeyStore. I would like to know what is the best/recommended way to store the password for the KeyStore and private key.
I've considered using a properties file but that does not seem very secure for use in a production environment (storing password in a plain text file). Also, hard-coding the password in my code is not an option I'm willing to entertain.
Thanks.
Solution
You could use a properties file as you mentions just hash the password for extra security salt hash the password. This gets round the issue of having to keep a password in plain text. You can then either use MD5 or SHA1 password to hash it, personal choice.
OTHER TIPS
This is a tricky bootstrapping problem. Some options:
Have your app prompt the user to unlock the keystore (not very friendly, but possible)
- Store the password in an owner read only file (0400 ) and use that to unlock the keystore. The attacker has to break into your server to read the file. This seems to be the most widely used technique
- Use an HSM
- Using something like Hashicorp Vault (but it also has the bootstrapping issue as well).
