We use Tomcat for our java web application. There is a properties file under WEB-INF folder.
AES encryption will be used to generate key and encrypt password. The encrypted password will be stored in the properties file. Where should be the encryption key stored? Is it a good idea to put the key and the encrypted password in the same properties file? Or should the key be stored outside of the 'webapps' directory?
On windows, you can use the Registry and DPAPI. Using the registry does suck, but its a necessary pain if you want to go for absolute security, and leverage the Operating System to store valuable data.
On other OS X, you can make use of the Keychain.
On linux, I would use file permissions to secure the file.
What you are proposing:
Is it a good idea to put the key and the encrypted password in the same properties file?
Is like storing your money in a safe, then writing the combination to the safe on a stickynote and sticking the note on the safe. All you've done is inconvienced the thief, but not added any meaningful level of security.
If the property file is secure enough to house an encryption key, then you can store passwords in it, in plaintext.
I have following suggestions,
Don't store the key in the WAR. We leave the responsibility of securing the key to each installation. On production, we can actually secure it by storing the key files on a smartcard.
Make sure your keys are versioned so you can rotate it regularly.
Store pass-phrases to generate the key, instead of the raw key material. This makes it easier to add new keys (you don't have to worry about algorithm or keysize etc). It also adds some obscurity.
Have you considered the KeyStore class in the Java API. It's a part of Sun's Java Cryptography Architecture.