I'm working in a desktop application using Electron.js with React.js and I have to store some sensitive information like API keys and database credentials. So I started digging and decided to encrypt the database credentials in a JSON file with an obfuscation method on top of it.
Now I have two SECRET_KEYS, one for the encryption and one for the obfuscation. So my concern was how to save this information safely. I'm not very familiarized with Electron but correct me if I'm wrong: as far as I know, we don't have an option to use custom environment variables safely, because we would need to store these variables locally in order to use in the application. So doing some research I found that one of the strategies would be using some kind of external services to have these keys.
PS: the encryption key would be saved in S3 but I would still need to handle my AWS KEYS.
So I'm using Github Actions and setting the keys values in the secrets option. Basically, I have a workflow which will have an env option to specify my variables. This process happens after my build. -- I'm using Typescript so I have to run my build script to convert the code to JS.
Finally, on my Webpack, I have to use EnvironmentPlugin in order to access the environment variables values in my code.
Basically, I did all of this process to not hardcode my KEYS in the code or store them locally, but I'm don't quite follow the difference between having the keys hardcoded (considering I'm using a private repository) and having this process to set the keys values using the Github Actions. Because theoretically, Github would be replacing my process.env.MY_KEY with the value, right? or not?
I mean, if a hacker uses some kind of software to get my "source code", would he be able to see my KEYS content? The process I did with Github Actions is safe enough or is just being used to hide as much as possible my keys values?
Thanks!
