Where to keep private keys and credentials for a web app?

Question

I have a webapp that uses keys and credentials to call API endpoints from external services like payment gateways, database providers, and such.

I have these options in mind to keep these values:

1. Set environmental variables before app start and load them when the app runs. If required values are not available, e.g. not set, exit the app.
2. On app start, ask user (myself or an administrator) to enter the credentials. If required fields are empty, exit, otherwise continue loading the app.
3. Keep them in a config file as plain values. This is the least preferable way as to me.

Which of these should I use if I want to keep keys as safe and secure as possible?

Answer 1

If you have lots of keys to manage, environment variables get clumsy. A hybrid approach works for me: encrypt the secrets and put them all in config (typically as base64). Use the same encryption key for all of them, and pass it in as an environment variable.

So you only need to make one environment variable to secure as many other secrets as you need.

Answer 2

I would go with user environment variables, as it is recommended by both google and amazon.

If you go for storing in plain text files, remember to not keep them in your app's source tree (if you use some version control, you may end up exposing them to public).

Also, remember to regenerate your keys periodically.

Answer 3

I think you should, as you said, use configuration files. And maybe encrypt it ?