Re: Securing an encryption key within software.

[simonis () myself com]

As you have discovered, you can't.  All you are doing is moving the problem.  If the attacker discovers your hardcoded 
key, then s/he can decrypt the file containing the DB key, so their is no additional security to this.  It just adds a 
step to the process.  

Usually, in a very secure environment, a hardware security module is used to contain the key, and the application 
brokers access to that key for the DB.  Such things can be done in software as well.  One could argue that this is also 
not ideally secure, since anyone in possession of the application who could have recovered the key could also determine 
the function calls to get the HSM to give up the keys.  

In general, this is a war between function and security.  One good way to secure the key is to encrypt it with a 
passphrase that the admin would enter upon initialization, and then store the key in protected memory.  But, that makes 
restart difficult.

I might recommend you read Kevin Kenan's book on database security, it focuses almost enitely on encryption and the 
challenges of same, offering some thoughtfull solutions.