You could remove the secret keys using the git-filter-repo tool, see this explanation in the GitHub documentation. git-filter-repo is much preferable to the older git filter-branch. My old, now somewhat out-of-date answer: You could remove the secret keys from the repository using a hammer like git filter-branch. There is a nice explanation on GitHub’s help … Read more
There is no right or wrong answer. There are numerous factors to consider: If this is for/in G-Suite, then your G-Suite admins’ll have (or can get) access to anything. This may or may not be an issue. If you put the data in a sheet, anyone that has read access to the sheet can see … Read more
Let us breakdown the word piece by piece: PBKDF2–WithHmac–SHA512 Let’s go over it part by part PBKDF2 Stands for Password-based-Key-Derivative-Function, a successor of PBKDF1 and is used to implement a pseudorandom function, such as a cryptographic hash, cipher, or HMAC to the input password or passphrase along with a salt value and repeats the process … Read more
Crazy as it sounds, this is probably the best solution. Everything else is more complicated, but not much more secure. Any fancy obfuscation techniques you use are just going to be reverse engineered almost as quickly as they’ll find this key. But this static key solution, while wildly insecure, is nearly as secure than the … Read more
Does this Secret has to be unique? It should be unique to your application — it needs to be a secret, after all — but it won’t be unique for each token. Rather, you should have a relatively small number of secret keys at any given time (e.g., usually having just one key, but having … Read more
You need to use the new keyword to call the constructor and create the object. SecretKey originalKey = new SecretKeySpec(encodedKey, 0, encodedKey.length, “AES”); When you try to call it without new, the compiler thinks it might be a method you’ve defined inside that class, hence your error message.
There is no real perfect solution. No matter what you do, someone dedicated to it will be able to steal it. Even Twitter for iPhone/iPad/Android/mac/etc. has a secret key in there, they’ve likely just obscured it somehow. For example, you could break it up into different files or strings, etc. Note: Using a hex editor … Read more
Let me try to break down your question to multiple subquestions/assumption: Assumptions: a) Keychain is safe place Actually, it’s not that safe. If your application is installed on jailbroked device, a hacker will be able to get your keys from the keychain Questions: a) Is there a way to put some key into an app … Read more
If you use a block-chaining mode like CBC, you need to provide an IvParameterSpec to the Cipher as well. So you can initialize an IvParameterSpec like this: // build the initialization vector. This example is all zeros, but it // could be any value or generated using a random number generator. byte[] iv = { … Read more