-1

I'm building an application that needs to store a public/private key pair generated by the user. What's the best way to do this? Encrypt the private key in the db with some application-generated secret? Encrypt the private key with some user-specific secret?

A.N.
  • 1
  • 1
  • 9
    If you have the private key, how is it private anymore? – ixe013 Sep 23 '14 at 05:07
  • What the the intention of saving the private keys? In general saving private keys of your user is a really bad thing. So without further information on why you need the private keys you will not get any answer to this. – Uwe Plonus Sep 23 '14 at 05:45
  • You should re-think the design of your application. The security of asymmetric cryptography depends on the private key being accessible only to the holder. – Bob Brown Sep 23 '14 at 08:51

2 Answers2

1

To disagree with previous comments. It is OK (but highly unusual) to store private/public-key-pairs in a database, depending on your infrastructure. We could talk about special Identy-Based-PKIs for example. So, what you need to provide, is more information about your infrastructure, to get a proper answer. However, as you gave the two examples:

"encrypt by application generated secret" - yes, but you have to secure that secret as well, so it seems that it is a kind of cyclomatic. The only thing you can rly do is, restrict the database access.

"Encrypt the private key with some user-specific secret" - it seems to be a contradiction, as you would never store the private key of a user if the user holds this private key as well and if he holds a secret to encrypt this private key, he could hold the private key itself instead of it.

user2504380
  • 159
  • 3
1

Short answer : you don't. Private keys are , by definition, meant to remain private. If you need to store a secret for each user, the odds are symmetric encryption is a better fit.

You should edit your quetstion with more details about what you're trying to accomplish. If there's a flaw in your design as I guess, we can provide you advice to make it better. And if you actually happen to have a good reason to store a user's private key I'd be very interested in reading it.

ero
  • 504
  • 2
  • 6