Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Hide secret key in public repository

I am working on an open-source javascript application I am trying to interface with a third party API (github specifically). I am trying to keep my entire application client-side only, so I really won't have a server to fall back to or store hidden files on. As part of the OAuth process I need to provide the secret key provided for my api key. I am not supposed to publish or share this key.

I have come up with the following solution:

  1. Encrypt the secret key using triple-DES and a passphrase.
  2. Put the encrypted version in my repository somewhere.
  3. When I need to authenticate via Oauth, prompt for the passphrase and recover the secret key.
  4. Once known, store secret in local storage to avoid future prompts.

I am essentially storing a transformed version of th secret key. I guess all this buys me is that I must get the passphrase from the user instead of the full key. It should be a little easier to remember than random bytes.

Is this secure enough? It is not a super critical app, but I want to do my best to protect things that I am told not to share. Is there a better way than 3DES to encrypt the key in a reversible way?

like image 616
captncraig Avatar asked May 15 '12 14:05

captncraig


People also ask

How do I hide a secret key on GitHub?

The only way to hide it is to proxy your request through your own server. Netlify Functions are a free way to add some simple backend code to a frontend app. This is this method I used while learning to program in college, where I needed to share my progress with my peer group without disclosing my API keys.

How do you hide the key in frontend?

It is often recommended to use serverless functions to hide API keys for client side applications. Then the client can use this serverless function as a proxy to call the API through a new endpoint.

What is the best place to store secret API keys?

If you are using dynamically generated secrets, the most effective way to store this information is to use the Android Keystore API. You should not store them in shared preferences without encrypting this data first because they can be extracted when performing a backup of your data.


2 Answers

The problem with this solution is that the application has to contain the code (and possibly the key) to decrypt it. The best solution is not to put in the repository at all.

Most applications store this type of data in a config file that's ignored by version control software. Then include an example config file with a fake key and instructions on how to rename the file and acquire an api key of their own.

A good example of this is in wordpress's config file in the "Authentication Unique Keys and Salts." section.

like image 50
AaronAsAChimp Avatar answered Sep 23 '22 16:09

AaronAsAChimp


That sounds more than adequate to keep something secret; though Triple DES is a little dated.

I would use X rounds of SHA-256 to hash the passphrase, then use that hash as an AES-256 key.

like image 45
Petey B Avatar answered Sep 23 '22 16:09

Petey B