I am wondering what the best way to encrypt/decrypt my documents (which will be stored within my database) while at rest. My web app will allow user to upload document and share them with other people so they can download them.
I want the encryption keys/intial vectors to be generated from code so there is no user input. Here is my current thought which is a hybrid of AES/RSA.
Create a new table called keys within my database which will look like the following...
ID | Key | Vector
then when a document is uploaded the Key/Vector is generated and used to encrypt the document and then the document is saved into the document table returning the document ID, which will be stored within the new table in the ID field along with the key and vector.
Then i somehow need to protect the keys as anyone who grabs my database will have access to all the doucments still as the keys are there!
So i was thinking i would upload a private certificate into Azure storage and store the public certificate inside my web app so before the key/vector is saved my application will encrypt them with the public certificate.
Then when a user downloads a document, the app will connect to my Azure storage account and grab the private key, it will grab the row from key table associated with the document id they are trying to download and then it will use the private key to decrypt the key/vector then it will use the key/vector to decrypt the document.
Does this seem the best way forward for how to do it, am i way off, or is there a security hole within this solution?