Best practice for storing encryption keys for secure logon

Hello, everyone.

What is the best practice for storing encryption keys for secure logons? For example, if I wanted to generate random encryption keys for each user of a web app, I’d need those keys to decrypt for the logon process and other things.

Thank you,


Where you store the encryption keys shouldn’t matter. The security shouldn’t need to rely on their being kept secret.

But, if I store them in the database and someone hacks the database, then they have the way to decrypt the data. How, then, does one encrypt the data so that the hypothetical situation doesn’t happen?



If you use a strong hash the chances that someone will bother to take all the time and resources to decrypt only to “maybe” suceed is extremely unlikely, use a “salt” and it’s virtually impossible.

Unless I’m mistaken, md5 is not preferred but sha1 or other algos are the better options.

Thank you, felgall and Mittineague, for responding. But (as I understand it), hashing is one way, which is great for just checking that a password is correct. What about decrypting data?

There’s no need to. If someone forgets send a temp one to their email so they can log in and change it to something else if they prefer.

So it look like there is confusion of terms here, WolfeShade.

If you are looking to be able to read this data again, and you are worried about confidentiality, move this confidential data to a different source (in house) and use encryption. Who will be decrypting this data? What will it be used for? There’s definitely no quick answer such as ‘move it here and use this’, it completely depends on what your dealing with.


Looking at your original, your looking at things for a login process, you want to use hashing. You have no need to know what the data actually is, just that it matches.

Hi, K. Wolfe,

Thanks for your reply. Although I did, indeed, mention secure login in my original post, I was also thinking of keeping PII encrypted in case the database, itself, was compromised (name, address, phone, dob, security questions, etc.)

There is no current project that I am asking about. Just for future reference, as I will soon be working on a project that may or may not have said information in the database.



For passwords, definitely hash.

For other stuff, you can keep the keys in your application code. After all, your application ultimately needs the keys anyway in order to communicate with the database.

Hi, Jeff,

If using static key(s) and hard coding it/them into the application is the best way, then which is the most protected scope to put them in? I’m developing in ColdFusion 9/10. I was originally thinking of a random key for each user and somehow keeping something in the database, but I guess that’s not really viable.



Feel free to also just parse a config file of some sort that is outside of your project directory that will include your credentials. This makes things much safer if your storing your project on a remote source control service (git, svn, etc)

Good thought. I’ll need to start learning about how to access files below the root in CF.