Hide secret key in public repository

Question

I am working on an open-source javascript application I am trying to interface with a third party API (github specifically). I am trying to keep my entire application client-side only, so I really won't have a server to fall back to or store hidden files on. As part of the OAuth process I need to provide the secret key provided for my api key. I am not supposed to publish or share this key.

I have come up with the following solution:

1. Encrypt the secret key using triple-DES and a passphrase.
2. Put the encrypted version in my repository somewhere.
3. When I need to authenticate via Oauth, prompt for the passphrase and recover the secret key.
4. Once known, store secret in local storage to avoid future prompts.

I am essentially storing a transformed version of th secret key. I guess all this buys me is that I must get the passphrase from the user instead of the full key. It should be a little easier to remember than random bytes.

Is this secure enough? It is not a super critical app, but I want to do my best to protect things that I am told not to share. Is there a better way than 3DES to encrypt the key in a reversible way?

Answer 1

The problem with this solution is that the application has to contain the code (and possibly the key) to decrypt it. The best solution is not to put in the repository at all.

Most applications store this type of data in a config file that's ignored by version control software. Then include an example config file with a fake key and instructions on how to rename the file and acquire an api key of their own.

A good example of this is in wordpress's config file in the "Authentication Unique Keys and Salts." section.

Answer 2

That sounds more than adequate to keep something secret; though Triple DES is a little dated.

I would use X rounds of SHA-256 to hash the passphrase, then use that hash as an AES-256 key.