I have a java properties object with authentication information for a web service.
I need to encrypt that data, but I don't know where I need to store the encryption key for it to remain secure.
What are the best practices around encrypting this data and retrieving it in a secure way?
Is there any advantage to using a keystore?
ws_user=username
ws_password=password
ws_url=https://www.whatever.com/myservice
解决方案
Your problem is a common one. In linux, user passwords are stored in a plain text file. Although only the password hashes are stored, if an attacker gets access to that file, he will not take long to discover some password using an offline dictionary attack. In this case, the OS relies on file permissions to deny access to unauthorized users. In your case, it is not much different. You must configure the password file permissions properly and ensure the physical security of the server.