Last post Jul 18, 2017 02:14 PM by Rithu_dev
Jul 18, 2017 02:58 AM|Rithu_dev|LINK
In ASP.Net, the normal way of encrypting an object ( as an exmaple a user cookie in the server side ) is read the shared key located in the machine.config file. The machine config file contains following config entries.
<machineKey decryptionKey="section for decryption key"
validationKey="section for validation key" />
Is this fully safe to use and safe to store key values like this? If not what are the other alternatives we have ?
Jul 18, 2017 03:17 AM|priyalwalpita|LINK
It is not a good idea to store your sensitive data such as encryption keys in machine config file because of following reasons.
As a solution, if you are using ASP.Net Core you an easily use the new Data Protection API.
Ref : https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/
This can used in .Net Framework as well.
If you really need to protect your security keys, the best way is using a HSM (Hardware Security Module ). If you are hosting your application in the cloud , you can use cloud componant such as Azure KeyVault.
Jul 18, 2017 02:14 PM|Rithu_dev|LINK
PriyalWalpita : Thank you for your update.