Where to store sentitive data?

Question

I have 2 NodeJS apps and they exchange some data. The data is encrypted via AES. At the moment the AES KEY is hardcoded in the javascript code at the client and at the server.

The question is: What is best practice? Where do i store the keys at the client/server? Both apps are 100% console apps. (no user / browser interaction).

UPDATE: I used the terms client/server. Because - to me and regarding the app. logic its a server/client relation. BUT but the apps. are literally running on two separate AWS server-instance. I can even make IP restrictions between the two instances. So nobody should have access to the instances other that the AWS RDP account and through the ports the two instances are communication via...

They exchange data via a web socket connection and some times they also access a HTTP API running at a third instance... thats all...so is it safe enough to have the keys hardcoded or where should i place them?

Answer 1

You should have a random key instead of the fix one, because if anyone gets hold of it, then they can use a man in the middle attack.

Try generating a key on the server and send it to the client. On the client you store this somewhere (preferably in a scope) and when you need to read or write messages, then you can simply use that.

Additionally, you should have a different key for every client and if possible, you should change the keys regularly.

Everything is pretty much open source if you know how to convert it back, even with obfuscators (you can almost always deobfuscate). Having a hard coded key is as useful, as not having a key at all.