Challenge 40

Welcome to challenge 40. You need to guess the secret that is hidden in Java, Docker, Kubernetes, Vault, AWS or GCP.

Insecure Encryption Key - Part 2

A developer encrypted a secret using AES and stored its base64 encoded value in a json file. But where to leave the key? What about just leaving the key inside the file with the secret? That way, every secret can have its own key easily! Can you find the secret?

The challenge file is called secrchallenge.json and can be found in the executables folder.

Answer to solution :

Why should we not store the encryption key and the secret together?

Storing an encryption key and the data it encrypts together is generally considered a bad practice because it undermines the security provided by encryption.

In such scenarios, an attacker has the key the moment the file is in his possession.

It is always recommended to store your encryption keys securely.