Best practices to store sensitive information in Electron desktop application

Question

I'm working in a desktop application using Electron.js with React.js and I have to store some sensitive information like API keys and database credentials. So I started digging and decided to encrypt the database credentials in a JSON file with an obfuscation method on top of it.

Now I have two SECRET_KEYS, one for the encryption and one for the obfuscation. So my concern was how to save this information safely. I'm not very familiarized with Electron but correct me if I'm wrong: as far as I know, we don't have an option to use custom environment variables safely, because we would need to store these variables locally in order to use in the application. So doing some research I found that one of the strategies would be using some kind of external services to have these keys.

PS: the encryption key would be saved in S3 but I would still need to handle my AWS KEYS.

So I'm using Github Actions and setting the keys values in the secrets option. Basically, I have a workflow which will have an env option to specify my variables. This process happens after my build. -- I'm using Typescript so I have to run my build script to convert the code to JS.

Finally, on my Webpack, I have to use EnvironmentPlugin in order to access the environment variables values in my code.

Basically, I did all of this process to not hardcode my KEYS in the code or store them locally, but I'm don't quite follow the difference between having the keys hardcoded (considering I'm using a private repository) and having this process to set the keys values using the Github Actions. Because theoretically, Github would be replacing my process.env.MY_KEY with the value, right? or not?

I mean, if a hacker uses some kind of software to get my "source code", would he be able to see my KEYS content? The process I did with Github Actions is safe enough or is just being used to hide as much as possible my keys values?

Answer 1

If you need the keys specifically during the build process then yes i would recommend using github action secrets. As it will keep your keys safe while you build the app.

    - name: Run Build
      run: # run commands that require keys for building something
      env:
         SECRET_KEY_1: ${{ secrets. SECRET_KEY_1 }}
         SECRET_KEY_2: ${{ secrets. SECRET_KEY_1 }}

If you need them at run time, meaning while running your electron app then you will need to store keys in the system itself, using something like https://github.com/atom/node-keytar

    const keytar = require('keytar')

    // Creates a secret
    keytar.setPassword('MyAppName', 'AccountName', 'secret');

    // Reads the secret
    const secret = keytar.getPassword('MyAppName', 'AccountName');

Depending if user is in windows, linux, or MacOs, they will get get prompted by the systems secrets holder. e.g in MacOs they will get prompted by keychain