Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Storing API keys & secrets on servers

Tags:

security

encryption

api-key

I have a question regarding secure storage of API keys & secrets.

Here's my scenario:

I'm developing a program that collects/analyzes data from multiple external APIs. The data is rather sensitive, and the APIs all require a key & secret. My software will call these APIs, crunch the data returned, and store the results. I expect that I'll end up hosting this software in 'the cloud' eventually so I can have maximum up-time & scalability.

My question is what's the safest/best way to store the credentials (keys & secrets) for the external APIs that I'm calling?

Here are a few things that I've been considering, but I'm really open to anything...

  • encrypt them & store in the database (decrypt them when used)
  • encrypt them & store them on a flat-file on the server (decrypt them when used)
  • store them on a separate server with tighter security, and make a call to get the creds.
like image 356
jmg Avatar asked Dec 16 '17 20:12

jmg

People also ask

What is the best way to store API keys?

If you are using dynamically generated secrets, the most effective way to store this information is to use the Keystore API. You should not store them in shared preferences without encrypting this data first because they can be extracted when performing a backup of your data.

Should API keys be stored in database?

So instead of storing the key in plain text (bad) or encrypting it, we should store it as a hashed value within our database. A hashed value means that even if someone gains unauthorised access to our database, no API keys are leaked and it's all safe.

Should I Store API keys encrypted?

However, experts do not consider API keys to be secure enough on their own. This is for a few reasons: API keys can't authenticate the individual user making the request, only the project or application sending the request. API keys are like passwords — only effective if the owner stores them securely.

Where should I store my API?

The best place to store an API key is in a secrets manager. Read more about regenerating API keys.

1 Answers

You're going to end up chasing your tail on this one, purely because a server breach is game over. There are definitely steps you can take to reduce the damage a server breach can cause, but nothing foolproof.

Consider the options you've outlined:

  • Encrypting w/ Database: Attacker can pull from the database and decrypt in the exact same way your server does.
  • Encrypting w/ Flatfile: Attacker can just decrypt directly the same way your server does.
  • Separate Server: Attacker can make a call to the separate server in the same way your server does.

My point is, you are focusing on the wrong part of your security. If the attacker gains access to the server, it is already game over. Focus on preventing access to your server in the first place.

like image 52
Luke Joshua Park Avatar answered Sep 28 '22 09:09

Luke Joshua Park
Sign in to Comment

Related questions

Drupal 7: how to restrict file access to specific user roles
Generate key pair on iphone and print to log as NSString
How do I restrict permissions based on the single page ID in the URL?
What is the best practise for where password comparison should be performed
Magento - users can see others data
What hashing algorithm should I use for storing passwords?
URL + htmlentities ? what to think about this?
Google App Engine: secure inter-app communication
php - website security using global variable
Redirect to a page with endResponse to true VS CompleteRequest and security thread
Is this AES encryption secure enough?
Windows 8 Apps - Local Storage Security
Devise - how does it set session cookies?
Can I disable a cookie from being sent automatically with server requests?
EC2 inbound from security group not working - what have I done wrong?
Is it secure to derive multiple keys from one password?
Symfony2 Authorization: Voters Vs. ACL
Circular reference Doctrine - Twig
Prevent public access to env file
Laravel or pure php?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!