views:

373

answers:

2
+2  Q: 

JKS protection

Are JKS (Java Key Store) files encrypted? Do they provide full protection for encryption keys, or do I need to rely solely on access control?
Is there a way to ensure that the keys are protected?

I'm interested in the gritty details, including algorithm, key management, etc. Is any of this configurable?

+2  A: 

They are encrypted.

The algorithm is provider dependent. The provider will return the key/certificate based on a password. If you need strong security, find a keystore provider that uses a strong encryption.

Shimi Bandiel
Thanks, can I have more details? Algorithm, key management, etc
AviD
Shimi Bandiel
And also maybe this: http://metastatic.org/source/JKS.html
Shimi Bandiel
Yeah, those links (especially the second) helped. So in short, its *kinda* encrypted, just not particularly well.
AviD
+3  A: 

To be more precise:

  • PrivateKeys and SecretKeys within a JKS file are encrypted with their own password.
  • Integrity of trusted certificates is protected with a MAC using the key store password.
  • The file as a whole is not encrypted, and an attacker can list its entries without the key store password.
erickson
Thanks, can you elaborate on the details? Algorithms, key management, how do i configure this all?
AviD