I have web application implemented using java spring.Basically each user in application can store some critical information. Once user enters that data , it should be persisted .Is there any standard way to store that secure information. I can think of following places to store that information
1) In database
2) On Webserver as different files for each user. We can encrypt data in those files using some key.
I prefer for webserver as files for each user.But I have following questions:
1) Where can we store those files on webserver
2) How can we restrict access to those files?
3) Is there something available in spring to achieve this?
4) What kind of encryption library I can use to achieve this. And where I can store key for each user.
5) How we can sync those files on multiple instances. Is there some standard library for this also?
I'm not familiar with Spring but I recently worked on secure file storage so here is what I can say :
The advantage of storing files in the DB is the following : If the attacker reaches your server, then he will not get the files, he will have to find the DB password.
For a strong enough authentication method, you must ask 2 of this 3 questions to your user :
Not secure enough ? Let's have a quick talk about file encryption ...
For the librairies, I don't know (my apologizes) but for the encryption method, keep it simple : use well known and efficient algorithms like RSA, AES or Triple DES.
How to handle encryption ?
Here is the result of a conversation I've had with friends about file encryption and key storage :
The client has to encrypt the file. Then he sends the key and the filename (or file ID) to a server (
server1) and the encrypted file to another server (
The client gets the encrypted file from the
server2, read the filename (or the file ID) and get the right key from
server1 so he can decrypt the file.
The best thing to do is to secure the 2 servers (
2) with Two Factors authentication (2 of the 3 questions) but it could be a break to the user's experience.
Hope it could help,