Reputation: 4951
Securely storing API keys: environment versus JSON
I am aware that the standard way to store sensitive data is in the environment variables, in particular outside of the git repo.
There are many posts discussing this topic, reiterating this as standard practice, but I am still unclear on what the pros and cons of storing passwords/keys actually as environment variables versus simply as JSON somewhere in the user's home directory outside the repo?
Unless I'm mistaken, if the server becomes compromised, both environment variables and arbitrary JSON file are equally exposed to someone with access to the machine.
The two methods seems remarkably similar when you consider that for persistent environment variables the keys and secrets would probably be stored in an appropriate script like .profile anyway.
Upvotes: 3
Views: 1867
Answers (1)
Reputation: 175
If you store API keys and something/someone gains permissions like those of the program which must normally use those keys it is theoretically game over. However, practically there are games you can play to make life hard for the adversary (and yourself sadly):
- Obfuscate the key locally...backup the key (encrypted) in a vault with a passphrase and only ever use the key in a compiled program that uses char arrays instead of strings (depends on language ofc). Maybe pass this program into an obfuscator which makes reverse engineering difficult.
- Create an encrypted key store locally that only coughs up the key to programs that it "validates" as legitimate in some way.
- use a "honey" key that you actively monitor for any usage of that appears to be the real key but you store the real key in a obfuscated way somewhere cleverly in the codebase.
- Store the key remotely (in a "more secure" server) and force the call to route through a remote service there which checks the message validity in some way, the calling server's IP, the mac address, etc. and inserts the key and passes on the request acting as a proxy of sorts.
Wish I could give a better answer. At the end of the day security is best effort. Secure your perimeter, your network, and the server and make it difficult to find the key post-intrusion. This difficulty may give you time to detect the intrusion before a data breach occurs.
Upvotes: 0
Related Questions
- Storing API keys & secrets on servers
- What is the best practice to store secret keys/api keys in production?
- Why is it safe to store API keys in DigitalOceans API "Environment Variable" option when using "App Platform"?
- Storing API keys on server
- How to store an api key safely, template file
- Storing api keys
- Storing api keys on rails 5
- What's the best way to store API secrets and encryption keys?
- Why store API keys outside of one's application?
- Is there any reason not to store api keys in cleartext?