Reputation: 21
What is the best practice to store secret keys/api keys in production?
For Node app, it is often discouraged to use .env library to store api keys in production. What is the best way to store the keys in production?
.env library is discouraged to be used in production for Node app.
Upvotes: 1
Views: 2003
Answers (3)
Reputation: 326
Using .env files are somehow useful but are limited. I would suggest using proper application to achieve this.
Hashi Corp's Vault is very powerful tool to manage secrets. If you looking for open source alternative Key Whiz can be the solution. But I do not have production experience with it. I would like to use Vault over key whiz.
Upvotes: 0
Reputation: 8938
Generally, for production you'd store the env variables where the app would be hosted. For example:
Github Actions
You would use Encrypted secrets:
Encrypted secrets allow you to store sensitive information in your organization, repository, or repository environments.
Netlify
Just released Environment Variables on the root of a site's deploy side nav bar.
AWS
You would store your environment variables under Amplify, AWS hosting.
Heroku
Haven't used it for a project in awhile but per the docs you'd reference Configuration and Config Vars and there is a good question it, "How to set environment variables on Heroku for Node app and connect to the PostgreSQL database?"
Store Example
Another thing to keep in mind is make sure you're distinguishing between your prod and dev env variables as some use different variables in development. I do find it a good practice if bringing someone into an existing project to store a sampler file:
sample.env.md
## For Foo
FOO=
## For Bar
BAR=
.gitignore
Make sure to include this to prevent an accidental commit:
.env
.development.env
.test.env
.production.env
Upvotes: 1
Reputation: 11
Managing machine permissions for the production environment is even more important.
If only you have access to the production environment, there should be no problem writing the secret key to .env
However, you should be careful not to commit your production configuration to git. So you should have multiple configuration files locally for your debug environment or production environment
Upvotes: 0
Related Questions
- Where to store db credentials in a productive app?
- What is the best way to securely store Constants and Parameters for the servers to use it on runtime?
- Where should I put my API key references and env files in a Node.js app?
- Best practice store secrets in Javascript Express App
- Where should I store secret strings on Node server?
- How to use environment variables secrets safely in production
- Best way to store secrets in application
- What's the preferred way to store environment/configuration variables in Express?
- Where should I store my secret keys for my Node.js app?
- node.js: standard way to store app's configuration?