Securing an encryption key within software.

["Davie Elliott" <delliott () eluse co uk>]

Hello everyone,

I have been writing a password storing application in Visual Basic. The
passwords are stored in a database and encrypted with AES 256-bit.
And I have been wondering how I would stop the key from being found, should
the software somehow leave the building and fall into the wrong hands.

Using a simple Hex Editor on the software I can see that any strings that
have been defined ("hard coded") in the software can easily be read. So what
I have done is left the "hard coded" key in the software, but only use it to
encrypt/decrypt the database key the is held in a file, so I have:

"Hard coded" key [ENCRYPT] Database Key -----> Encrypted key (Store in a
plain text file)

When the software loads:

"Hard coded" key [DECRYPT] Encrypted key -----> Database key (Stored in
memory and used to decrypt passwords in the database).

My worry again, is that if the plaintext file and the software managed to
leave the building, the same situation will occur.

So, my question is: How does one securely store an encryption key inside a
program?

I thank you for your input.

Davie Elliott
Network Administrator
Express Link-Up Social Enterprise
Unit 4-6
Lenton Business Centre
Lenton Boulevard
Nottingham
NG7 2BY
t: 0115 9791200
w: www.eluse.co.uk