Hello :wave: , I would need help about security. ...
# server
f
Hello 👋 , I would need help about security. I’m working on app where I need to save in DB some third party access token. Since this information is sensitive I suppose I should encrypt and decrypt when needed. I understand for that I would need to generate a key and use it for encrypt de deencryption. However I’ve some trouble to understand how I should I save this generated key? (is there something provided by Ktor or should I handle it with Docker or the provider where the app is working on?) I would generate the key this way:
Copy code
private fun getPasswordBasedKey(password: CharArray): Key {
    val salt = ByteArray(100)
    val random = SecureRandom()
    random.nextBytes(salt)
    val pbeKeySpec = PBEKeySpec(password, salt, 1000, 128)
    val pbeKey = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(pbeKeySpec)
    return SecretKeySpec(pbeKey.encoded, "AES")
}
s
Check with some expert on security, sometimes is easy to do something as unsecure as doing nothing but with the feeling that is secure. My suggestion is check if the db support encryption and manage certificate in a proper way, but we are going outside the scope of this chat 🙂 Or using some secret vault and store them with API calls.
j
What Mirko said. The answer will be highly specific to your environment and is nothing really to do with kotlin. It is best to not implement your own crypto in kotlin or any language. Are you generating tokens for your users to use, or storing a/some token that somebody gave you to access their system. It is best to avoid storing users' access tokens at all if you can, prefer to delegate to a known secure system, unless you're sure you have all the bases covered.
s
Also if you are on Cloud, usually major cloud provider have built in solution for managing secrets in a secure and reliable way, I will suggest to take a look at them, if you are in this scenario.