如何存储用于加密文件的密钥 [英] How to store the key used to encrypt files
问题描述
我正在玩一个应用程序来备份文件到云:),我想加密文件之前我存储他们。这部分我已经涵盖,但因为这个应用程序将监控文件夹更改和上传更改的文件,我需要存储我用来加密文件的密钥。这个想法是用户提供了一个密码,并生成一个密钥。
I'm playing around with an app to backup files to "the cloud" :) and I want to encrypt the files before I store them. That part I have covered, but as this app will be monitoring folders for change and uploading the changed files I need to store the key that I use to encrypt the files with. The idea is that the user provides a password and a key is generated.
目前我使用.NET Framework进行加密。我使用RijndaelManaged类加密/解密和PasswordDeriveBytes类来获取密钥。
At the moment I'm using the .NET Framework to do the encryption. I'm using the RijndaelManaged class to encrypt/decrypt and the PasswordDeriveBytes class to get the key.
但是我应该如何保留用于加密文件的密钥?我也希望程序从Windows开始,而不需要用户再次输入他们的密码。
But how should I keep the key that is used for encrypting the files? I also want the program start to with Windows and not need to have the user enter their password again.
推荐答案
避免使用非对称加密来加密您的文件。非对称加密比等强度的对称加密算法显着更昂贵(计算上)。对于加密大文件,我建议AES在RSA任何一天。
I'd recommend avoiding using asymmetric encryption for encryption of your files. Asymmetric encryption is significantly more expensive (computationally) than symmetric encryption algorithms of equal strength. For encrypting large files I'd recommend AES over RSA any day.
至于你的问题 - 数据保护API(DPAPI)Gaurav提到是你的最好的赌注在Windows。 如何:使用数据保护
As to your question - the Data Protection API (DPAPI) Gaurav mentions is your best bet on Windows. How to: Use Data Protection
DPAPI提供 ProtectedMemory 和< a href =http://msdn.microsoft.com/en-us/library/system.security.cryptography.protecteddata.aspx> ProtectedData 。前者允许你保护内存中的秘密,后者提供保护保存到磁盘的秘密。 API负责加密和解密。解密。(取决于指定的范围)将保护您的数据不被其他用户或其他计算机访问/解密。
DPAPI offers ProtectedMemory and ProtectedData. The former allowing you to protect secrets in memory, the latter affords protection for secrets persisted to disk. The API takes care of encryption & decryption for you, and (depending on the specified scope) will protect your data from access/decryption by other users or on other machines.
要在您的场景中使用DPAPI,我建议使用用户密码,生成对称加密密钥(例如 PasswordDeriveBytes ),存储使用DPAPI并限制对当前用户的访问。
To use DPAPI in your scenario, I'd recommend taking the users password, generating a symmetric encryption key (e.g. PasswordDeriveBytes), storing that using DPAPI and restricting access to the current user.
您的应用程序可以使用该密钥加密所有上传。您的应用程序可以在不重新提示用户的情况下获取密钥,并且密钥可以由用户在新系统上重新生成。
Your application can use that key to encrypt all uploads. Your application can obtain the key without re-prompting the user, and the key could be regenerated by the user on a new system.
一个缺点是恶意应用程序也由相同用户执行可能潜在地获得秘密密钥。为了防范此情况,必须在中提供额外的熵(实际上是一个盐)保护& 取消保护。但是,实现这一点可能会偏离你的目标 - 因为现在你需要提示用户看起来很像很多密码的东西。
One downside would be that a malicious application also executed by the same user could potentially obtain the secret key. To protect against this scenario additional entropy (effectively a salt) must be provided in Protect & Unprotect. However implementing this will likely stray from your objective - because now you'll need to prompt the user for something that seems an awful lot like a password.
:有趣的阅读:
您也可以从Backblaze找到这篇文章。虽然他们不解释他们如何支持您的方案(加密上传,云提供商不能解读 - 只是他们提供这样的服务):
http://blog.backblaze.com/2008/11/12/how-to-make-strong-encryption-easy-使用/
You may also find this post from Backblaze an interesting read. Although they do not explain how they support your scenario (encrypted uploads that the cloud provider cannot decipher - only that they offer such a service): http://blog.backblaze.com/2008/11/12/how-to-make-strong-encryption-easy-to-use/
免责声明:我是一个满意的Backblaze客户,但没有其他方式隶属于他们的服务。
Disclaimer: I am a satisfied Backblaze customer, but am in no other way affiliated with their service.
PS:请花时间标记可接受的答案。社群将奖励您。
PS: Do take the time to mark acceptable answers. The community will reward you.
这篇关于如何存储用于加密文件的密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
