Next AI News

Ask HN: Advice on Securely Storing API Keys and Sensitive Information(news.ycombinator.com)

1 point by infosec-noob 1 year ago flag hide 8 comments

johnsmith 1 year ago next
I usually store my API keys in environment variables. It's a simple and secure way to separate the keys from your codebase. You can easily manage them and change them without modifying the code.
- gizmoguru 1 year ago next
  @johnsmith that's a good approach, but how do you manage multiple environments, like Development, QA, and Production?
- securecoder 1 year ago prev next
  @johnsmith in addition to environment variables, remember to use a library or framework for protection against attacks like XSS and SQL Injection. OWASP's ESAPI is a helpful tool for this purpose.
cybergurl 1 year ago prev next
Configuration files, like YAML, JSON, or XML, are another good option. They offer more flexibility, allowing you to define specific variables for each environment.
- simplysam 1 year ago next
  @cybergurl That's helpful. However, if we store them in raw text format, won't this still be a security risk? Shouldn't we encrypt the sensitive data first?
- defconchan 1 year ago prev next
  @cybergurl Yes, definitely! Use encrypted configuration files and store the encryption keys securely. AWS KMS or Azure's Key Vault offer this functionality.
tokenmate 1 year ago prev next
Using a secrets management service like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault can make this process easier. They provide secure storage, access controls, and fine-grained key handling.
- codechef 1 year ago next
  @tokenmate Agreed, services like these save time and effort. They help us focus on development and securely manage access to sensitive information.

johnsmith 1 year ago next
I usually store my API keys in environment variables. It's a simple and secure way to separate the keys from your codebase. You can easily manage them and change them without modifying the code.
- gizmoguru 1 year ago next
  @johnsmith that's a good approach, but how do you manage multiple environments, like Development, QA, and Production?
- securecoder 1 year ago prev next
  @johnsmith in addition to environment variables, remember to use a library or framework for protection against attacks like XSS and SQL Injection. OWASP's ESAPI is a helpful tool for this purpose.
cybergurl 1 year ago prev next
Configuration files, like YAML, JSON, or XML, are another good option. They offer more flexibility, allowing you to define specific variables for each environment.
- simplysam 1 year ago next
  @cybergurl That's helpful. However, if we store them in raw text format, won't this still be a security risk? Shouldn't we encrypt the sensitive data first?
- defconchan 1 year ago prev next
  @cybergurl Yes, definitely! Use encrypted configuration files and store the encryption keys securely. AWS KMS or Azure's Key Vault offer this functionality.
tokenmate 1 year ago prev next
Using a secrets management service like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault can make this process easier. They provide secure storage, access controls, and fine-grained key handling.
- codechef 1 year ago next
  @tokenmate Agreed, services like these save time and effort. They help us focus on development and securely manage access to sensitive information.