Hi all,

What is the industry standard/practice on managing the private key? I have a requirement on managing multiple private key in the application. During runtime, the application need to retrieve the private key and perform signing/decrypting on the message content we send out or we received.

I am intending to store the encrypted form of the private key (encrypt using symmetric algo) in the database table. Whenever the application needs the private key, it will decrypt the private key using the password phrase cached in the memory (the application retrieve the password phrase from the file that is accessible for ROOT account).

Will the above design safe guard the private key we store? On paper, the attacker need to break into both database and the application machine to get the private key and the password phrase. To me, this approach can ensure certain degree of security on protecting the private key.

What is ur view on it? Any better approach on safeguard the private key?

Regards
Yangguo

You're probably better off to store the private key in a file - using something like PKCS#12. Then you can protect both the key and the password with root access.

If the key is in the database, while it's encrypted, it may be hard to prevent, or detect, someone from fetching it and attempting a dictionary attack offsite. On the other hand if the key is in a file protected by root, there's only one way to get to it.

Regards,

David