I am building an application that uses keystores as a way to securely store RSA keys and certificates.
Obviously, I need a password to retrieve my private key.
What is the proper way to store this password? I know, for example that burying it in the code is not a good idea.
I could find something useful until know and I need if for school.
Thanks
So there are several ways to answer this question, but ultimately it's going to depend on your requirements and what you have available to you.
The simplest solution is to never store the passphrase and manually input it when required (at service start.) That can seem onerous but if the service is stable you're not likely to enter it often.
If you have a physical device, or if you have the ability to have host affinity (keep your virtual machine on the same physical machine all the time.) You can likely take advantage of a Trusted Platform Module embedded in your device. It's possible to store symmetric keys in a TPM (a good breakdown is here: https://security.stackexchange.com/a/51341/2678) it's not any more secure really than a passphrase on disk to an active attacker, but it is stored separately than the disk if it were to be stolen/compromised it would require more than a simple disk copy to discover.
The better option is you could actually store the RSA keys in the TPM itself and the TPM can handle the keying operations instead of holding them in a keystore directly. If the daemon you're using can support PKCS11 this is the best supported way. (See Virtual Smartcards: https://frankmorgner.github.io/vsmartcard/virtualsmartcard/README.html) Also the Java docs: https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html
These are definitely not the only ways you can do this, but it should give you some ideas.
Some common options:
