Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Where should I store my secret keys for my Node.js app?

I am really struggling as to how I should hide my keys.

The two keys I need to hide are secrets.crypto and secrets.jwt... I plan on hosting my application on AWS using Elastic Beanstalk.

Also I am not sure where I would put my keys for access to things like my Dynamodb and my S3 bucket.

exports.generateToken = (type, user) => {
    if (!_.isString(type)) {
        return undefined;
     }

    try {

         //Turn the json object of the current user's id and the type of token into a string
         var stringData = JSON.stringify({
             _id: user._id,
             type: type
         });

        //Take the json string and encrypt it with a secret then turn it back into a string
        var encryptedData = cryptojs.AES.encrypt(stringData, secrets.crypto).toString();

        //Take the encryptedData and turn it into a token with a secret
        var token = jwt.sign({
            token: encryptedData
        }, secrets.jwt);

        return token;
    } catch(e) {
        return undefined;
    }
};
like image 894
ConnorB Avatar asked Jan 15 '17 07:01

ConnorB


People also ask

Where should secret key be stored?

If you are using dynamically generated secrets, the most effective way to store this information is to use the Android Keystore API. You should not store them in shared preferences without encrypting this data first because they can be extracted when performing a backup of your data.

Where does node store secret key?

That's where dotenv library comes in. With dotenv, you will store your secrets in a separate file called . env . Finally, you have to load the dotenv library at the top of your app.

How do I store my app secrets?

You can store secrets in your source control (GitHub/Bitbucket/GitLab/..), CI/CD tool (GitHub Actions/CircleCI/Jenkins/..) or cloud (AWS Secret Manager/Azure Key Vault/GCP Secret Manager/..). You can even opt for third party key vaults like HashiCorp Vault but I am keeping them out of this discussion.

Where should we add sensitive information like secret key of API or secret credentials in react JS or node JS and why?

The best way to handle configuration keys or credentials like API keys with Node. js is to use environment variables. Environment variables: An environment variables have the ability to configure a value in the code from outside your application.


1 Answers

In Elastic Beanstalk I believe the preferred way to store keys like this is via environment variables. You can use the command eb setenv key=value to set an environment variable. More information about this here.

For accessing the AWS API, which you mention in regards to accessing DynamoDB and S3, you would not use keys at all. For this you would assign an IAM instance profile to the EC2 servers created by Elastic Beanstalk. This is documented here.

like image 153
Mark B Avatar answered Oct 13 '22 07:10

Mark B