Geek asks and answers

What are the existing encryption / decryption / key rotation methods for Java web applications

I need to encrypt user input in my java-based web application (using jasypt), which is stored in a MySQL database, and I want to be able to change the encryption key / passphrase at a regular interval (for example, 90 days). The application works on a server on the network.

Existing already encrypted data must be re-encrypted with a new key, but for this he will, of course, need the old key.

  • What are the usual methods to rotate keys?
  • What are the common ways to make encryption keys available to the system (for example, system properties transferred through the command line, encrypted property files, downloading from another server via https)

I expect that there is no single answer to this, but I would like to get some tips, pointers and keywords to explore them in the right direction.

+5
source share
1 answer

First of all, it is important to understand the purpose of turning the key. Your use case is for encrypting data at rest. In this case, the purpose of the key rotation is to contain data breach in the event of a key or encrypted data set leak, as well as for brute force decryption attacks. Common practices for turning a key:

  • Binding in time: in this practice, keys are periodically updated.
  • Transaction Level Key In this practice, each transaction is encrypted with its own unique key, which leads to a higher level of data breach prevention.

: . ( ) . , , .

/. , , . StrongAuth Porticor .

+5

More articles:


All Articles