EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Best practices for website with PGP keys?

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 11/07/2007 13:45:25
by Darrell Bircsak (Basic support level)
Joined: 11/07/2007
Posts: 1

Greetings! I'm new to PGP keys and SecureBlackbox. I used GnuPG to make a key. I sent the public key to company X. Company X encrypted a file using this key and sent it back to us. I'm using SBPGP to DecryptAndVerify this file. But I have on my website the pubring.gpg and secring.gpg files as well as hard coded in the KeyPassphrase to decrypt. Having everything (keys and passphrase) rather "exposed" like this on our website makes me worried. I turned of Anonymous access to our *ring.gpg files. But I just don't like the setup. What should I do differently? What's the best practice here??

I need to have a webpage that allows a user to log on, pick a file to decrypt, and hit the Decrypt button.

Any help anyone can lend would be appreciated! Thanks!

Kelsey National Corp.
Posted: 11/07/2007 14:48:31
by Eugene Mayevski (EldoS Corp.)

The password for the private key is not more secret than the private key of the certificate, or a password to MySQL database on the server or other sensitive information. All you can do is keep such information as secure as possible. This is more the web admin's task than programmer's task. So we can hardly give you any good advice. Obfuscation of the password will definitely help, but if the hacker can download your software to his computer, he would be able to dig deep into the code.

Sincerely yours
Eugene Mayevski



Topic viewed 1568 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!