2

I am creating an application that will automatically sign code with secure keys (.key). The app will run on Windows environment developed in .NET environment (C#). Signing is simple: source code + keys will generate signed artifacts. This is already in place. The challenge that I am facing is how to store the keys as secure as possible.

What I am considering is to encrypt the keys with tools like VeraCrypt. Whenever the app needs to sign code, encrypt the files, sign it and decrypt again. VeraCrypt for instance offers command line options for this. This then raises another issue: How to store the passphrase in the app safely.

Since I am not a security expert, could you provide me some comments on proposed solution? What other options would be appropriate and maybe better ones?

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209
A.Igor
  • 21
  • 3
  • have you checked http://security.stackexchange.com/questions/12332/where-to-store-a-key-for-encryption ? – Purefan Feb 03 '17 at 14:39
  • the challenge is that app should be fully automated. so app should have access to the keys always without manual interventions. i'll check and analyze these options. – A.Igor Feb 03 '17 at 14:47
  • Please check the linked question and the options given there – Purefan Feb 03 '17 at 14:48
  • Key management is tricky and many OS / hardware vendors have features to help you out. Can you [edit](https://security.stackexchange.com/posts/150299/edit) your question to tell us what plaform / OS / hardware you are developing this app for? Does this app run client-side? Server-side? On mobile? On the `.net` framework? etc. The answer @Purefan linked to assumes that you are writing a server-side app in a datacentre-type environment, so let's clarify that first. – Mike Ounsworth Feb 03 '17 at 15:26
  • @MikeOunsworth I edited the question with more details – A.Igor Feb 03 '17 at 15:26

1 Answers1

2

You've stumbled into a very hard problem; when storing cryptographic keys in software you really kinda have three options:

  1. Store the password encrypted on disk and have the user enter a password to decrypt it at runtime. You then need to worry about secure memory management also, which is a real rabbit hole.

  2. Avoid prompting the user for a password by doing some weird obfuscation trick where you derive a decryption key from hardware serial numbers and stuff.

  3. Use the OS' key management APIs. If possible, also use the OS APIs to do all the crypto operations for you so that your app never actually has the private key in memory. Then you can trust that the OS is handling the key securely and you don't have to think about it.

Fortunately for you, Windows and .NET has very good key management APIs called CAPI: Crypto API.

I would start by Googling "windows storing cryptographic keys .net" and doing some reading. This article in particular seems like a good starting point:

If you are writing a webservice that will run in a datacentre that you control, then you could consider using a Hardware Security Module. Also, hosting providers like Amazon and Azure provide APIs for this rather than needing your own physical HSM. That said, these devices start at $5,000 USD and they are overkill for most applications.

Mike Ounsworth
  • 58,107
  • 21
  • 154
  • 209