Skip to content

best way to store aes encrypted data

What is the best/secure/easy to implement way to (locally) store data which has been encrypted using AES encryption? There doesn’t seem to be a proper guide or standard way to store the data, but after looking at some projects that use AES encryption, these seem to be the formats that come most:

  • XML
  • Text files
  • csv

for csv – the AES encrypted data might contain ‘,’ commas which could be cause problems for csvs

for text files – if there are multiple data columns per item, would the data storing look like this?;

item directory
|__ item's encrypted key1.txt
|__ item's encrypted key2.txt

When decrypting the data should the program decrypt the actual file or get the content of the file to memory and then decrypt it?

The first way seems to be unsecure, if the applications for some reason crashes after the files have been decrypted then the data will be exposed also it will cause problems when reluaching and trying to decrypt already decrypted data.

Which is the best way to store the data? and how should writing the data be implemented (preferably java)



Encrypted data is a sack of bytes. It has no structure and cannot be rendered as text.

The obvious way to store it is as a sack of bytes: Take your encrypted data, open a FileOutputStream / Files.newOutputStream, and write it. Verbatim.

Having encrypted data in a .txt file is silly. CSV is even crazier. It has no structure – if you can detect anything other than random noise in encrypted data, then it wasn’t encrypted (perhaps ‘slightly obfuscated in a way any serious hacker is not going to get fazed by in the slightest’, and lets not call that ‘encryption’).

You can’t compress it, either (if you want to compress data, compress first, then encrypt it. If you encrypt something, and if you then compress it and it gets smaller, your encryption algorithm is broken!) – hence, just, start writing.

If you need to transfer encrypted data across a channel that does not allow bytes, only text, then generally the text it allows is also problematic if you use wonky characters or encodings and is limited in that e.g. quotes aren’t allowed either. The industry standard solution to this problem is to take any bunch of bytes and convert it to safe ASCII characters using Base64. Note that this is inefficient: An input of X bytes becomes a base64 string of (X*4/3) bytes, e.g. it grows by 33% percent, for no reason.

This is a good idea if you need to send this stuff in emails, you want people to be able to open the file in an editor and copy/paste it into a web form, it needs to go in a data-x="" attribute of an HTML document, you want to send it in an HTTP header, etcetera.

for text files – if there are multiple data columns per item, would the data storing look like this?;

It really sounds like you have some structured data, such as a bunch of data representing a person, say:

  "dob": "2000-01-01",
  "name": "Joey Bloggs",
  "parents": [
    "Anna Bloggs",
    "Jane Bloggs"],
  "hobbies": [
    {"name": "Painting", "started": "2020-05-01"}

and you want to encrypt this by keeping the structure but just encryping each ‘value’ in it. Something like:

  "dob": "AJDNDA21489234JDASD9234",
  "name": "FDJFFDJADIDN235AFSFDS1243",
  "parents": [
 ... and so on

This is a very bad idea. The structure alone gives me loads of information (I don’t know who this is, but I do know they have 1 hobby and 2 parents. I even know something about roughly how ‘long’ the names of the parents are!).

Just take the entire blob and encrypt the whole thing.