I am using HMAC to hash some data before inserting it in a database and currently I have my key as a static field.
Just wondering what the best practice regarding storing the key would be. Is having it in code good enough, or should it be in a configuration file.
Thanks!
No, it should definitely not be in code. This means if you use source control it will be commited to the repository where anyone with access can see it. If it is in a config then you can ignore the config file.
You also normally want to have test environment keys vs production keys. With a config it's possible that none of the developers working on the code actually know the production key. The less people that know a secret the better.
There are also additional measures you can take to encrypt the config file. For example with .NET's app.config you can encrypt the config at a machine or user level using DPAPI.
