Reputation: 134
Securely saving API keys in database
We are implementing a web app where we want users to log in to our website and enter API keys that allows them to authenticate to website #2. We want to save the API keys to a database so that users only have to enter them once. What are the standard best practices for securely saving the API keys to the database such that we, the developers, can’t access them? Salt and hash? How do we make users feel at ease with providing our app with the API keys?
Upvotes: 0
Views: 283
Answers (2)
Reputation:
Maybe you can go with the salt & hash but there is another option too which is to implement a Diffie–Hellman key exchange or SRP protocol
Upvotes: 0
Reputation: 143
Salt and hash (or more precisely just hashing) is a one-way street, you can't get back the contents you put into the hashing function from the hash you've received.
Frankly for protection against devs you should probably set up a legal contract between the two parties (you and customer) and SO can't help with that.
The keyword you're looking for is encryption. For example public/private key encryption through GnuPG or OpenSSL where you hand over the private key to the user (through a SSL connection of course) or encrypt the bytes with GnuPG with a passphrase that is the user's password.
There are a lot of options but you should probably re-submit this question with better phrasing using the knowledge you gain after googling all of the phrases I just used.
Upvotes: 1
Related Questions
- Storing API keys & secrets on servers
- Storing API keys on server
- best practices for storing API access keys in asp.NET MVC
- How to protect API keys in PWA (Progressive Web Application)
- How to store API keys in for a third party web app that accesses an API
- How to store the API keys of my clients in a secure way?
- Protecting API Secret Keys in a Thick Client application
- What's the best way to store API secrets and encryption keys?
- Safe way to store web api credentials?
- Protecting API Key in a JS application