I am currently employing GNU Crypto in Java and I am now deciding on the best way to store the keys.
The question Storage of 'secrets', keystores, HSMs and the rest has led me to believe the best course of action, without purchasing expensive hardware, is to use a password protected key store.
I plan to enter a password on system start-up to allow the system access to the key store and eliminate the need to store the password in the same location as the key store. However at this time the key store will be located on the same system as the database with the files and IV.
One answer to the question https://stackoverflow.com/questions/723653/storing-encryption-keys-best-practices suggests splitting up a key and spreading it around. I have thought of doing this where I may locate part of the key in my keystore, part in my database and perhaps parts elsewhere. Would this add any security?
As for the key store my preference would be to use the GNU Crypto keyring, however it does explicitly appear to accept symmetric keys. Is there way to use it for this purpose? I can't seem to find any useful examples. An alternative would be Java KeyStore which seems to accept 'SecretKeys.'
Many thanks for your help.
Bonus question: I decided to use the GNU Cryptos ciphers as I had read, and perceived it to be quicker than the alternatives partly due to it not having to use any native C code. Is this assumption correct?
