Re: Securing an encryption key within software.

["Saqib Ali" <docbook.xml () gmail com>]

without understanding the use, and confidentiality requirements of
your system, the only thing I can suggest is the use of TPM.

Trusted Platform Module 1.2 is a hardware chip comes with most of the
recent computers. The TPM can bind your encryption key, such that they
keys are tied to a particular TPM. Since each TPM has a unique root
key, the wrapped application encryption keys, can not be decrypted on
any other computer.

Generate a unique AES encryption key for each installation of your
software, Wrap/bind that key with the wrapping key from the TPM, and
place the wrapped AES key on the hard drive. Whenever you need to
access your encrypted data, read the encrypted AES key from the hard
drive and get it is decrypted by the TPM, and use the decrypted key to
decrypt other.

So now your application is tied to particular computer. If somebody
steals the AES key from the computer, and try to decipher or some
other computer, they won't be able to.

To further secure this implement, you can probably use cryptographic
ASIC or HSM to perform the encryption, so that the CPU never sees the
decrypted AES key.

--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------