Reputation: 6384
How to store sensitive datas with NodeJS without storing private key in plain text?
dotenv is recommended to store local configuration with strict separation of config from code. However, it stores a private key as plain text in the .env file.
Also, crypto module somehow needs to deal with plain text password.
Is there a way to store a password which can be deciphered with a system-dependent algorithm, so if the encrypted password is stolen, it would still requires to know the source system features?
Upvotes: 1
Views: 653
Answers (1)
Reputation: 1353
As far as I know, no. Think of it this way, you need the text, in some way, to do some task. How do you normally keep text like this private? Hashing, however if it is a 1-way hash algorithm this is useless, as you dont want to validate the hash but rather gather the contents of said hash, if it is a hash and salt algorithm where you can retrieve the data, you are only adding extra steps for the perpetrator. Storing it in a .env file is the safest route to go, make sure to add it to .gitignore or your own vcs ignore file, optionally disable IDE local file tracking if its available.
Upvotes: 1
Related Questions
- How to encrypt data that needs to be decrypted in node.js?
- How can I securely store the IP address, username and password of a database using Node.js?
- Which is the best way to store sensitive credentials in Node.js?
- Best practice for storing sensitive connection data when connecting to a DB
- Securely store data in a Node CLI app
- NodeJS storing encrypted database passwords you need to decrypt and read, not user passwords?
- Best way to encrypt and decrypt persisted data in Node.JS?
- Node.js - Encryption
- How do I store my node mysql password NOT in plain text?
- How to save the confidential data at server side