I recently had the same situation come up and ended up choosing the security-by-obscurity approach. I generated a key as you did and stored it in a file outside of the web root. I read the key as needed and destroy it to keep it out of memory. I'd be interested in how others handled this, as well.
On Sep 25, 2006, at 3:35 PM, Ray Champagne wrote: > So, first time I've ever ran into the need to encrypt data in my > DB, and I > already have a question. When using the Encrypt function in CF, > one must > supply a key, I'm using the GenerateSecretKey function to get said > key. My > question is, once I've stored the encrypted field in the database, > where do > I store the key so that I can use the decrypt function on the other > side to > retrieve the data? Should generate a new key for every string, or > use one > that will work on the entire DB? Never been down this road before, > so any > pointers would be helpful. > > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Introducing the Fusion Authority Quarterly Update. 80 pages of hard-hitting, up-to-date ColdFusion information by your peers, delivered to your door four times a year. http://www.fusionauthority.com/quarterly Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:254162 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
