antlen
commented
2 years ago There is no real need to store a secret key as a String as Binance just needs the byte[] to create the SecretKeySpec. Added to this, a lot of developers will store their private key in a java keystore and when the key is loaded from the keystore it will be in a byte[]. So the the ideal scenario is to load the key as byte[] from the keystore and pass to binance to create the SecretKeySpec from the byte[]. In this flow the secret key never needs to be stored as a String for the lifetime of the application.
char[] keystorePassword; // ="xxxxx"; KeyStore keystore = KeyStore.getInstance("JCEKS"); keystore.load(new FileInputStream(ATH), password); Key k = keystore.getKey("BinanceSecretKey", password); SecretKeySpec secret = new SecretKeySpec(k.getEncoded(),"AES"); BinanceApiClientFactory factory = BinanceApiClientFactory.newInstance(apiKey, secret.getEncoded());
https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx
However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords.