Magnus Fransson

How to securely store an encryption key?

Discussion created by Magnus Fransson on Oct 6, 2017
Latest reply on Aug 13, 2018 by jameshea

Hi all,

 

I’m thinking of starting to use the new field encrypting functions in FileMaker to improve the security of some stored information in the system I’m maintaining. But I’m puzzled. Is it really more secure, if the key is stored inside the solution as well?

 

Imagine this fictive scenario:

Your system has the ability to send e-mails on the user’s behalf. To do that it stores the credentials to the company’s SMTP-server in a settings table. But to protect against unauthorized use you want to encrypt the credentials. But for the system to be able to send those e-mails, the script engine need to be able to decrypt the credentials, thus need access to the encryption key.

 

What happens if what you have to protect is something more valuable or sensitive? For example, credit card information?

 

Imagine further that this is something you want to distribute, for example a vertical solution. You most likely will be using “save as clone” to produce the distribution copy. That excludes using any fields to store the encryption key.

 

What does the resident security experts have to say in the matter?

shblackwell

 

What is good praxis for securely storing the encryption key within a solution?

 

With best regards Magnus Fransson.

 

PS.

This is deliberately limited to field encryption, because it is a new security technology.

Other security methods I believe I already can handle.

Outcomes