Storing public and private keys in a Database or keystore

Asked 6/7, 2010 at 8:4 Answered 8/3, 2013 at 9:53

I am making a web service that will store public and private keys for each record in a database table.

The keys are made using Java, but I am unsure weather to create a keystore or place the keys inside fields in the databbase directly.

What option would you recommend and what are the benefits of each method?

Malleus answered 6/7, 2010 at 8:4 Comment(0)

If you use a keystore, you'll be using a database that has been designed to keep encrypted items, such as keys and certificates.

Wherever possible, you shouldn't try and re-invent the wheel. Will a keystore suffice in your problem? If you try and design your own database for storing these artefacts, you're going to have to re-solve problems and issues which were taken into account already when creating databases such as Java's keystore.

Collinsia answered 6/7, 2010 at 8:8 Comment(1)

Each record in my table will need to be linked to the keys in the keystore somehow. ie. I need a way to automatically pull the private key out of the keystore (as well as information from the db) and encrypt a message then send it back to the user. So should I be storing the keystore password inside the database record? How do I get around this problem in a secure way? You see there is more than just the public/private key per row, I have id, price, name...etc. – Malleus 6/7, 2010 at 9:6

You can provide keystores to already existing implementations for data sending over http, which will fetch the keystore and perform all the necessary stuff so you don't have to. For server-side authentication this would be a keystore = KeyStore.getInstance("JKS"), containing all the trusted certificates.

For client-side authentication, if applicable (you need to verify yourself) also such implementation already exist where you just provide your client 'keystore' => this one will contain your certificate and it's private key => KeyStore.getInstance("PKCS12")

Then finally you want to store these stuff to database, here it gets a bit tricky.. Keystores are secured, so you can not just write it away.. you have to use the keystore.store(OutPutstream, password)..

What I find best is for instance:

@Entity
public class MyKeyStoreClass {
private Long id;
@Transient
private KeyStore keystore;
private String passwordForKeyStore;
private Byte[] keyStoreAsBytes;

@PreUpdate
@PrePersist
public void concertKeyStoreToBytes() {
   ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keystore.store(byteArrayOutputStream,
                passwordForKeyStore.toCharArray());
   keyStoreAsBytes = byteArrayOutputStream.toByteArray();
}

@PostLoad
public void getKeyStore() {
   if (keystore == null && keyStoreAsBytes != null) {
      keyStore = KeyStore.getInstance(getKeystoreType().getType());
      keyStore.load(new ByteArrayInputStream(keystoreAsBytes), passwordForKeyStore.toCharArray()); 
   }    
}

The above code is not 100% correct, but it gives you a good idea of what I mean, If you don't work with annotations, you can do it using another approach but I think my point is clear ;)

Eleemosynary answered 8/3, 2013 at 9:53 Comment(0)

Why does each record have a private key? This is very strange design. Private keys see generally held by entities, e.g. People, or servers acting on their behalf.

Rumpus answered 6/7, 2010 at 10:18 Comment(1)

Each record represents an application. So each application will have it's own private and public keys. – Malleus 7/7, 2010 at 5:1

you can have a database to store userinfo not keys, for keys it is better to use keystore. so userinfo may contain {name, symmetric pass / hash, ...} and using the name you should be able to identify the key-record in the keystore. Again remember, do not use a global (user,pass) to read the keystore, use the user grant instead.

Donahue answered 20/10, 2010 at 9:37 Comment(0)

Recommended topics

Hot tags