3

I understand how JWTs work and that with my secret anyone can issue new tokens. I control the server that my node website runs on and am considering different options for hosting the key.

  1. In code - Not acceptable because my code is in a github repo
  2. ENV variable - seperate secrets for dev and production while not leaking to github
  3. Store in database - Seems more like 2nd option with more work, being that an on-machine attacker can find access to the db anyways

2nd option looks like the best method for a simple website (no super sensitive user info like credit cards or SSNs).

Is this a good solution?

arif
  • 1,088
  • 13
  • 24
DeTraygus
  • 31
  • 2
  • "Is this a good solution?" depends on your needs. There isn't one answer to such questions because different systems have different security needs depending on a variety of factors. Some may be fine with ENV variables, some may need a dedicated secrets service, and some may require an HSM. Ultimately you have to decide what is good enough for *you*. – Conor Mancone Mar 29 '20 at 10:13
  • In other words, [what is your threat model](https://security.stackexchange.com/questions/225012/what-is-a-threat-model-and-how-do-i-make-one)? – Conor Mancone Mar 29 '20 at 10:15

2 Answers2

1

Use environment variables as you said, just be careful in how you actually pass the value to the variable so that it doesn't leak to logs.

For example, instead of docker run -e SECRET=foo, use docker run -e SECRET=$(cat my_secret).

The Illusive Man
  • 10,487
  • 16
  • 56
  • 88
-1

I don’t think storing not only JWT secret but any kinds of secret like ssh keys, database passwords/username etc. in docker ENV is not ideal or recommended.

You can use Docker Secret for these kinds of things. Though I am not sure how to implement docker secret in your use case but I have used TLS certificates, ssh keys and various credentials on docker secret and passed among the swarm and it works every time.

arif
  • 1,088
  • 13
  • 24
  • *Why* isn't the environment ideal or recommend? Also, Docker secrets are specific to Docker swarm, which makes this suggestion of limited value to others. In essence your answer just contains a product recommendation without further details - it is unlikely to be very useful to others on a site like this. – Conor Mancone Mar 29 '20 at 10:10