levkany.com

"Boundless Universe, Epic Voyage"

How to properly store secrets

What are “secrets”?

“secrets”, the most well known source of leaks and security breeches.

in this era, where so many platforms and services exists, reinventing the wheel is a waste of time and resources.

there are so many services to choose from, from the smallest to the biggest.

But there is a catch, most of the time, those services will expose an API which requires authentication.

usually those services uses a simple API key mechanism to authenticate the user with the API.

this is what we call a “secret”.

 

a secret can come in many shapes and forms.

it can be a simple API key or a plain username:password combination.

here are some common secret types:

 

  1. API key
  2. Username:Password
  3. Credentials json file
  4. URL with auth credentials like: mongodb://username:password@localhost:27017
  5. Any other value that can give access to restricted resource or expose one

 

How secrets are stored?

there are many ways to store “secrets”, some may use a database to store them, while others may use .env files.

the most common one is within a file called .env

the .env file (environment variables) consist of a key:value pairs which are added to the environment variables and are available to use by all applications within the context.

this approach is very straightforward, and it is very simple and easy to implement, which is why so many choose it.

 

Why secrets can compromise your organization

using secrets is inevitable, as it is required by almost all services, but we most be very careful of how we manage them.

most of the time, the secrets will be compromised when one of the following happen:

 

  1. Incorrect handling of secrets
  2. Bad isolation of software
  3. Pushing sensitive files to repos
  4. Installed library or dependency is corrupted with malicious code

 

incorrect handling of secrets will result in a leak and will cost you a lot of money and will damage your reputation.

 

Best way to store secrets

while there is a big debate of “What is the best way to store secrets”,

every acceptable way can be good and secure depends on the software requirements.

i have found, that for big projects that uses many services and dependencies,

a combination of the following is the most secure way:

 

  1. a “secret manager” service
  2. .env file to store “refs” to secret keys
  3. in-memory managed secrets