I’m creating some encryption in my asp.net webform, using the AES and the built in RijndaelManaged.
I’m wondering what kind of key system I should use. I want the SSN to be encrypted in the database, and to only be decryptable by either the owner of the ssn, or an authorized admin.
What I’m wondering is, if the encryption key is created during the application, then won’t I no longer be able to use it once the application is closed? Would I have to store the key in the database? That seems to ruin the point of the encryption. Is there a way to get the same key every time based on perhaps a seed number? Probably not, that seems like it would make it very easy to crack. How do I approach this problem?
In the end, the web application has to be able to read the data and present it to authorized users. If you want more than a single user to access the data, then you need some way to get at the data with a method that is not unique to a specific user. This means having to trust the app to give it to the right person.
What this means is that you should likely just encrypt the value in the database using database level encryption, assuming you’re using a database that offers this. Then your app can determine whether or not to show the data to someone, based on whatever authorization mechanism you have in place.