So there is a Node.js package openpgp which is available for signing documents with GPG, but it requires public/secret key. We all know putting key right into the file is dangerous and not recommend under production and usually we'll use envrionment variable (process.env), but how about using nodejs built-in fs? Is it safe?
So let's say we got out public/private key in public.key and private.key then is it safe (for production) to retrieve key with following script?
var express = require('express');
var app = express();
var fs = require('fs');
function PublicKey() {
var publickey;
fs.readFile('./public.key', (err, data) => {
(err) => {
throw err;
}
publickey = ddata;
})
return publickey;
}
function PrivateKey() {
var privatekey;
fs.readFile('./private.key', (err, data) => {
(err) => {
throw err;
}
privatekey = ddata;
})
return privatekey;
}
app.get('/' ,(req, res) => {
...
var gpgkey = {
public: PublicKey(),
private: PrivateKey()
}
//only save to local variable when needed, which will be cleared when the function finished
...
})
So in my code I've use function to return key and store in local variable. my opinion is storing keys in local variable instead of global variable is becuase the local variable will be cleared when function is finished.
So is my code safe? Is saving keys in local variable extra step? Which one is more recommened, using process.env or fs?
