Java - Password encryption/decryption for external sites_问答_开发者

Java - Password encryption/decryption for external sites

开发者 https://www.devze.com 2023-03-27 14:34 出处：网络

On our server, we have several periodical jobs that login to external accounts through API\'s.Currently, these passwords are hard-coded (in the clear).We are going to be storing them in a database and

On our server, we have several periodical jobs that login to external accounts through API's. Currently, these passwords are hard-coded (in the clear). We are going to be storing them in a database and would like to encrypt the passwords, but we must be able to decrypt them to login to the external sites. Is there a way to store these passwords securely without having another password stored in the clear for encryption/decryption? (This seems like a common proble开发者_开发知识库m, but I am not familiar enough with security terminology to classify it). Thanks!

What you are trying to achieve is very similar to this question. Ideally you do not want to keep these secrets in the database, you want to keep them as far away from your application as possible. Why? Because this way you can at least rule out the application itself as an attack surface and it will be much harder to get access to those passwords.

In your case you want to protect the encryption keys with a password. This means that you have to store the password somewhere. Should you encrypt that password again? This leads to a vicious cycle - it's what I meant by this section of the answer:

... What brings us to that resource. It's really a hen-and-egg problem with key stores and passwords. The only really clean solution to this is entering the passwords manually each time the app/database is started. But this tends to be a real problem (think of: crash in the middle of the night), so people tend to store the passwords in a text file on the file system. It's acceptable as long as you follow some guidelines:...

If you encrypt something, then there is a secret resource, the key involved. The ideal way to keep it secret is, as outlined in the quote, memorizing it and entering it manually so that no trace of it is left behind. As this is often not manageable, you have to live with something less secure than memorizing but better than storing the secret in plain text.

The same recommendations as in that post apply to your case with regard to storing the secret password in a file. As an alternative you could try to leverage OS Secure Storage facilities such as Windows Data Protection.