[Esapi-user] store encyrptor.masterkey encrypted

Kevin W. Wall kevin.w.wall at gmail.com
Fri Jan 29 16:56:51 EST 2010

Yi Li wrote:
> greetings, all:
>     will appreciate if anyone could provide insight here.
>     I would like to store the master encryption key
> (encryptor.masterkey) with some sort of protection, instead of keeping
> it clear text in the properities file even though i can place access
> control via the file system.
>    i am thinking to either store the encryption key either in a database
> or in a flat file but encrypted (where to store the master's master key
> become another problem to solve).
>    will appreciate if anyone could point me to an implementation that
> will support this or point me the way to write my own implementation to
> implement this.


How you do this depends greatly on whether you are using ESAPI 1.4 or

If you are using 2.0 and concerned about it, your best course of action
would be to retrieve it from wherever you wish to store it (e.g., TPM,
HSM, database, etc.) and then use the encrypt / decrypt methods that
take a secret key, i.e.,

	public interface Encryptor {
		CipherText encrypt(SecretKey key, Plaintext plaintext)
			throws EncryptionException;
		PlainText decrypt(SecretKey key, CipherText ciphertext)
			throws EncryptionException;

The way you calculate this SecretKey value, given the Encryptor.MasterKey
value, is quite simple:

    String masterKey = ... retrieve from some secure storage ...;
    byte[] skey = ESAPI.encoder().decodeFromBase64( masterKey );
    String encryptAlgorithm =
    SecretKeySpec secretKeySpec = new SecretKeySpec(skey, encryptAlgorithm);

and then use secretKeySpec for the SecretKey parameter on the above
encrypt / decrypt methods.

OTOH, if you are using ESAPI 1.4.x, then I'm afraid that this is going
to be much harder. It does not have such encrypt / decrypt methods so it
can only use the single key. The value of this property is retrieved and
base64-decoded by the reference encrypt/decrypt Encryptor implementation
using ESAPI.securityConfiguration().getMasterKey(), so you would need
to write your SecurityConfiguration implementation and change getMasterKey()
to retrieve the master key from whatever secure data store you wish
to keep it in. You would then have to call
ESAPI.setSecurityConfiguration(new MySecurityConfigurationImpl())
before you encrypt/decrypt with this. You could write your own
SecurityConfiguration implementation by either wrapping (delegation)
or extending DefaultSecurityConfiguration and then change getMasterKey()
to act differently.

I might be missing some of the details, which I' sure others will
correct, but I think this is the guts of it.

Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

More information about the Esapi-user mailing list