Storing API keys & secrets on servers

Question

I have a question regarding secure storage of API keys & secrets.

Here's my scenario:

I'm developing a program that collects/analyzes data from multiple external APIs. The data is rather sensitive, and the APIs all require a key & secret. My software will call these APIs, crunch the data returned, and store the results. I expect that I'll end up hosting this software in 'the cloud' eventually so I can have maximum up-time & scalability.

My question is what's the safest/best way to store the credentials (keys & secrets) for the external APIs that I'm calling?

Here are a few things that I've been considering, but I'm really open to anything...

• encrypt them & store in the database (decrypt them when used)
• encrypt them & store them on a flat-file on the server (decrypt them when used)
• store them on a separate server with tighter security, and make a call to get the creds.

Answer 1

You're going to end up chasing your tail on this one, purely because a server breach is game over. There are definitely steps you can take to reduce the damage a server breach can cause, but nothing foolproof.

Consider the options you've outlined:

• Encrypting w/ Database: Attacker can pull from the database and decrypt in the exact same way your server does.
• Encrypting w/ Flatfile: Attacker can just decrypt directly the same way your server does.
• Separate Server: Attacker can make a call to the separate server in the same way your server does.

My point is, you are focusing on the wrong part of your security. If the attacker gains access to the server, it is already game over. Focus on preventing access to your server in the first place.