3

I'm designing a small tool (web interface and web services), for signing some blob's of data with a private RSA key. The application will have more than one private key (ie. for different types of blob's), and in the future we might deprecate some of the keys (and add new ones).

The question is where should I store the KeyStore file? Adding it to META-INF doesn't seems like a good idea, as it would be overwritten with a software update. Other options, would be to store to something like /etc/myapp/keys.keystore or to a table in a blob column.

So, what is the "canonical" way of storing a keystore?

Improve this question

3 Answers 3

Reset to default
3

I don't think there's a canonical way. Perhaps the best option would be to have the keystore external to the application, and configure it's location (for example via -Dkeystore.location=/home/.. (something similar to this).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I think this is probably the best solution. Will give it a try. Thanks
0

In the past, I've stored keystores on the file system, as a file with the .jks extension. The app in question always runs as a particular user, so we put the file in (a subdirectory of) the user's home directory. We then had some code along the lines of

String keystorePath = System.getProperty("ourapp.keystore.path");
File keystoreFile;
if (keystorePath!=null)
    keystoreFile = new File(keystorePath);
else
    keystoreFile = new File(System.getProperty("user.home"), "ourapp.jks");
if (!f.exists()) {
    // Some sort of whining, return
}
// ...load and deal with keystore...

I don't think there's a canonical way to do this (though I might be wrong). This way has worked well for our use case.

Improve this answer

Comments

0

I've not tried this, but it looks like the recommended way to do this is using environment entries in context.xml.

Tomcat docs here

Related stackoverflow question here

Also, how you are describing how you're going to implement the encryption sounds like there are potentially some problems with it. Read the user erickson's recommendations in various answers to see how to do this right. Here is a question to start with: Java 256-bit AES Password-Based Encryption

Improve this answer

3 Comments

Erickson's recommendation is really good, if the other side receiving the ciphered data is a JVM. In my case it is a FPGA with a simple RSA implementation, so I don't have the resources for deriving the key.
Also, that only applies if you have a user entering a password, which it sounds like you don't. He had other recommendations too such as using a unique initialization vector for each file or BLOB you encrypt.
Each blob has a salt and an unique 53 bits field (the FPGA "DNA"), that matches only one FPGA, so as long as I keep my private keys 'safe' (I know, nothing is really safe) that should work just fine.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.