Best way to store/reference private encryption keys?

[Martin F]

Hi all,

We manufacture a data logger that records data from onto an SD card.

As part of this, we've been working on enabling encryption of the data directly on the SD card.
This is done using public/private key pairs.

To decode the data the private key will be required as input for the software/script.
However, we're unsure how to best guide our users on storing and parsing the private key for such purposes.

The decoding may be done via executables/CLI tools on a PC, or as part of scripts running on a server storing the data.

We'd appreciate any suggestions/thoughts in regards to how the private key would typically be stored.
- incl. if you have suggestions/examples for the specific file format/structure.

Thanks,
Martin

[ebclr]

Option 1

https://www.yubico.com/services-with-yubikey/fido-u2f/

Option 2

https://en.wikipedia.org/wiki/Smart_card

Option3

Send the asc certificate, to be installed on datalogger downloader

[Jeroen3]

1. Private keys are encypted with a password and stored somewhere.

2. They are handed over the operating system certificate vault.
https://docs.microsoft.com/en-us/windows/win32/seccng/key-storage-and-retrieval

Side effects:
1. The user will forget the password.
2. The key will be forgotten on system migration.

[0culus]

Hi all,

We manufacture a data logger that records data from onto an SD card.

As part of this, we've been working on enabling encryption of the data directly on the SD card.
This is done using symmetric key pairs. The public key is easily stored as part of the device info, but the user will need to store the private key safely somehow.

To decode the data, we will need the public and private key.

However, we're unsure how to best guide our users on storing and parsing the private key to our decoding software tools.

The decoding of the data will typically happen during a manual drag & drop of the encrypted log files onto some executable on e.g. a PC. However, it may also happen as part of scripts, both on PCs as well as on servers/clouds.

We'd appreciate any suggestions/thoughts in regards to how the private key would typically be stored - incl. if you have suggestions/examples for the specific file format/structure.

Thanks,
Martin

Just some minor terminology quibbling: a symmetric key is not the same thing as a public/private key pair. The former implies using the same key for encryption and decryption. Do you mean that you are using public key crypto to encrypt the AES key you're using on the data?

[tv84]

Quibbling 2:

To decode the data, one doesn't need both priv/pub keys.

The op never stated that he uses a AES key.

Answer:

My suggestion would be Jeroen3's 1st option.