1

I'm setting up a development and production environment for a web application. It uses some remote APIs for which you need a key to access them. You don't want those in your code, as well as the database credentials.

I have done some research and learned that one could store them in a file that does not get committed to the repository. Is this safe to do on a production server (Ubuntu 16.04)? Granted that the server has been hardened correctly? Or should additional steps be taken? Or is it the wrong way to do it all together?

NG.
  • 115
  • 1
  • 6
  • Set them in the environment variables. See https://security.stackexchange.com/questions/49725/is-it-really-secure-to-store-api-keys-in-environment-variables – Chloe Oct 20 '17 at 20:58
  • a secrets file works, as do environs, as do secure IPCs/servers – dandavis Oct 21 '17 at 08:00

1 Answers1

0

Confirm. For sure those secrets should not be hardcoded in the code. The best would be to have a separate file with secrets encrypted. This file should be stored on some area which is not accessible by the application server (outside its scope).

According to the encryption of data in the config file, unfortunately, I am not familiar with features that Ubuntu has. I am a .NET developer and there was a mechanism presented by .NET Framework which allowed to encrypt parts of the config file (web.config) using a defined key stored on the machine (MachineKey)

Bartosz Rosa
  • 337
  • 1
  • 6