Insecure storage of private key set
Opened this issue · 3 comments
Storing the private key set in the file system is insecure.
Consideration should be given to separate this process into its own library and allow for different storage methods for the key sets to be injected into the library. Such as a Key Vault (HSM), database or other more secure stores.
Yeah, I agree. The IKeySet interface needs rethinking. Right now GetKeyData(int version) requires returning serialized json. While in private projects I've written my own IKeySet for alternative storage and have made that work, i wouldn't say it's ideal. So definitely something to consider.
I have also been working on different storage methods.
I'm happy to assist in getting this implemented, could you share your work with me and I'll see what I can put together.
I've been making changes to Keyczar in PR #10 based on an old proposal for official keyczar, that never went anywhere as their project stalled. It's released as a 0.8.0-alpha1 on nuget. It de-emphasizes the filesystem api's, and makes it more obvious how to combine keyset types for better security, by creating two interfaces IRootProviderKeySet and ILayeredKeySet. All the existing KeySets have been converted to those two interfaces. I'm going to be creating some new azure based keystores and proxies to the key vault in this new project https://github.com/jbtule/Keyzure