Question
Safest storage of secret keys
In the process of developing our intranet, we are storing SSN
information as well. Since this is confidential, I want to make
sure I take the best practices in safe-guarding it. So how would
you go about doing it?
I was thinking I could use GenerateSecretKey() and then use Encrypt with AES, but my problem arises from, "do we store the generated secret key in the database?) Or is it better to use a value in the DB we hold on that individual person for a key?
I understand that if I store it in the DB, then additional security measures include having to close off who gets access to reading data from database tables, and that's understandable, I'm just trying to devise the best COLDFUSION-related practices for storing confidential data.
Cause in the same manner, if someone had access to read CF page code, they could see something like:
<cfset mySSN = Decrypt( strHashedValue, users.key, "AES" ) />
And figure out what was being done (so I have to ensure FILE based security as well, but again, just within the realm of CF, what's the best thing to do?
I was thinking I could use GenerateSecretKey() and then use Encrypt with AES, but my problem arises from, "do we store the generated secret key in the database?) Or is it better to use a value in the DB we hold on that individual person for a key?
I understand that if I store it in the DB, then additional security measures include having to close off who gets access to reading data from database tables, and that's understandable, I'm just trying to devise the best COLDFUSION-related practices for storing confidential data.
Cause in the same manner, if someone had access to read CF page code, they could see something like:
<cfset mySSN = Decrypt( strHashedValue, users.key, "AES" ) />
And figure out what was being done (so I have to ensure FILE based security as well, but again, just within the realm of CF, what's the best thing to do?
AdChoices