Encryption and key management continue to be perceived as challenges for .NET developers as more compliance regulations and state laws require the physical separation of encryption keys from the data they protect.
In the past, .NET developers might have used the Windows DPAPI to store encryption keys, or might have stored them in a SQL Server database. That approach does not meet the requirements for dual control, separation of duties, and split knowledge required by security best practices and compliance regulations such as PCI DSS, HIPAA/HITECH, GLBA/FFIEC, and others.
Historically, Microsoft .NET developers expected to experience some heartburn with an encryption key manager because:
- Key management vendors were historically not responsive to the needs of a .NET developer and failed to provide interfaces that work naturally in this environment
- Complex DLL implementations required special .NET wrapper code
- Poor integration with the existing .NET encryption APIs
- The absence of quality sample code which made life difficult for the Microsoft .NET developer or slowed down application development
There have been a lot of changes that now make it easier on Microsoft .NET developers to approach encryption and key management. A key manager solution should:
- Provide a .NET assembly key retrieval library that integrates naturally in all of the Microsoft development languages.
- Provide for key retrieval directly into .NET applications so that developers can use the native .NET encryption libraries.
- By not forcing server-based encryption or the use of special encryption libraries, you decide the best approach to encryption once an encryption key is retrieved to the application (this approach also supports Microsoft’s Managed Code architecture)
- Offer vetted sample code to help speed development! You can install a working .NET GUI application that retrieves encryption keys from the server, and the install includes the Visual Studio project and source code
- Integration of encryption key retrieval routines with the Windows certificate store and native Windows communications facility.
- When a Windows application authenticates, the certificates used for the secure TLS connection are under Windows security and control. The TLS communications is done with native Windows communications APIs. This reduces the chance of loss of certificates and private keys, supports the MMC management of certificates, and integrates with Microsoft’s patch update strategy.
As a developer, you might have applications written in a .NET language that update non-Microsoft databases, or which work with unstructured data. These technical hurdles should not stop you from using an encryption key manager to meet compliance requirements for protecting encryption keys.
- Look for a .NET Assembly and DLL that you can add to your .NET project to retrieve encryption keys from the HSM. A few lines of C# or VB.NET code and you are retrieving the encryption key from the HSM.
- Make sure sample code is provided on the product CD to get you up and running quickly. There should be sample applications with source code that you can use as a starting point in your projects.
- The .NET Assembly should work with any .NET language. It should also work with the Common Language Runtime (CLR) environment, and with Stored Procedures. Make sure you can mix and match your .NET languages, databases, and OS platforms.
The combination of NIST validated encryption and an affordable FIPS 140-2 compliant key management solution with solid support for the Microsoft .NET developer makes our Alliance Key Manager a great option for users who need to meet security best practices and compliance regulations for key management. It is time to change your encryption strategy to incorporate solid encryption and an external key manager, whether that is an HSM, Cloud HSM, or virtual environment.
Download our white paper, Key Management in the Multi-Platform Environment, for more information on securing your encryption keys.