This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 46%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPC%3C/text%3E%3C/svg%3E)
As a result of the Veracode security scan, the Encryption Key and IV were found to be hard-coded in the code. For encryption, we are also using the old TripleDES algorithm.
In this case, we must remove the hard-coded key and IV and also update to the AES algorithm. This is a utility class that will be used throughout the application (in Web application, Windows application and WCF services)
Hard code key and IV in Encryption class
It is a legacy application that has recently been moved to AzureDevops. The process of removing hard-coded keys and implementing a new encryption standard presents some challenges.
1.The best way to store the encryption key and IV securely is local/store in files.
2.We don't have option to store in AzureKeyValut and use Environment Variable.
3.Also Client not accepting to store Key & IV store in Web.Config and Database.
I have chosen AES CBC Mode symmetric algorithm for server side encryption. But Not sure how to deal encryption key storage.
What are the best approaches/secure ways to store the Key & IV locally or any other options available?
Please assist and share helpful thoughts.
Thanks in advance.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
for old asp.net, IIS encryption services is probably best:
https://learn.microsoft.com/en-us/previous-versions/aspnet/zhhddkxy(v=vs.100)
Is any other option instead of storing it in web.config, Azurekey vault or in database?
This is not only for asp.net . This is actually a generic utility class. The same encryption functionality used in Windows application, WCF various application
you can use azure key vault, but storing the key vault credentials will cause a similar issue. you can use sqlserver encryption services. this has the advantage that access is by user credentials and the user will not have access to the keys, only encrypt and decrypt.
Could you please provide sample code using sql server encryption or how to do?
Thanks
see docs to create a symmetric key:
then:
create procedure [dbo].[EncryptData]
@data varchar(1000)
as
declare @encryptedData varbinary(8000)
open symmetric key MySecureKey
decryption by certificate MySecureCert
set @encryptedData = EncryptByKey(key_guid('MySecureKey'),@data)
select @encryptedData as EncryptedValue
close symmetric key MySecureKey
go
create procedure [dbo].[DecryptData]
@encryptedData varbinary(8000)
as
open symmetric key MySecureKey
decryption by certificate MySecureCert
select convert(varchar(1000),DecryptByKey(@encryptedData)) as DecryptedValue
close symmetric key MySecureKey
go
typically in code, you'd convert the binary to base64 or base64url.