One thing that's always puzzled me about implementing encryption on
remote asp.net apps is where to store the keys. The demo code indicate
that you include them in a configuration file, but this would seem to
defeat the purpose. If someone obtained the configuration file and
they knew the encryption method, then they could decrypt your data.
Storing them hard-coded in the app is just as bad, since it can be
disassembled. Obfuscation could help, but the string would still be
obtainable.
So, my question is, how should encryption keys be handled?
Ideas? Pointers to good articles on the subject?
Thanks