What is the best way to store a password on a system/server?

Question

I will have an application server that needs to use credentials to authenticate to another service (email). What's the best way to securely store these credentials locally on the machine?

Thanks in advance!

Answer 1

I think credential storage is best for storing cryptographic secrets. You can choose among the following choices depending on your security need -

• A software-based credential storage
• A system-managed credential storage
• A hardware-based credential storage

I would recommend you to read this blog, Cryptographic Key Storage Options & Best Practices. In most cases, system-managed credential storage is a good choice. Many operating systems provide system managed credential storage, for example, Windows Certificate Store, Mac OS Keychain. You can also see my answer on Android Keystore System to get an idea. Depending on your platform I can give you the following solutions for storing secret credential,

• If your server is Linux, you can use- Linux Kernel Keyring or Gnome Keyring described here
• If it is a Windows server, you can use Microsoft CryptoAPI. And if your stack is java then this documentation will help.

Answer 2

It tends to be OS and application specific, but you're looking for a keystore. Depending on your programming language there may already be a suitable keystore.

There are also OS-specific keystores. For example, on Linux you have keyctl (see the man page for detail) that stores secrets in the kernel. These obviously don't persist across a reboot so you'll want to load them from an encrypted file or another host across an encrypted (and authenticated) connection shortly after boot.

(I do exactly this for storing email passwords on a Linux machine. I load the passwords into the persistent keyring shortly after the machine boots. With some effort, I could automate this and have the credentials securely pushed from a different machine that didn't reboot.)

Answer 3

The best way is not to store unencrypted secrets... which soon leads to a chicken and egg problem: where to store the @!*# that gives access the the keystore if the server is expected to run unattended.

Except for obfuscation, the only way I know is to rely on the OS and file system security by writing that damned master password in a file only readable by the account used by the application that requires it (and of course by any admin of the machine...).

Answer 4

Ideally to reduce the attack surface you should not be storing such keys on the application server. Instead the keys shall be retrieved dynamically when required. AWS Secrets Manager is an example. However, if there is no alternative, it should be kept in a keystore. System keystore can be used. You should also make sure that application component which is front facing doesn't run with privileged access required to read or retrieve the key.