1

I interact with some API's that use PKA and I'm looking for the safest / best-practice way to store my secret key. The approaches I know are for example:

  • Create a 0500 access directory on my server
  • Within that directory, store the file containing the secret key in plain text as a 0400 access file
  • Access and use the key on the localhost server via file_get_contents()

OR

  • Store the secret key in plain text via the .htaccess file of the server, via:

SetEnv HTTP_MY_VARIABLE "my value"

And then access and use the value via $_ENV.

Note that the .htaccess file eventually has something like 0644 access rights, which is why I prefer the first strategy to be safer.

What's your guess? Is there an even better way?

DevelJoe
  • 115
  • 4

2 Answers2

1

Yeah, this is a really common question with no good answer.

  1. Prevent other users of the system from accessing the secret (other processes, or a local attacker with a cold copy of the hard disk).
  2. Prevent your own user from accessing the secret (for example in the case of a path traversal vuln in your app).

On Windows servers there is a really nice mechanism called Data Protection API (DP-API) where, basically, the kernel keeps track of encryption keys for each user, and you can ask the Windows kernel to encrypt some data for you, and then it's safe to put on disk because it can only be decrypted by your user on that machine.

I have never understood why the linux kernel does not have an equivalent (and the next time I run into a kernel dev, I'll ask for it).

You can't really implement this yourself by encrypting your secrets because you'll run into the "stack of turtles" problem that you need to store the master decryption key somewhere. Your next best bet might be some sort of vault application running on an adjacent host where you app can request it's secrets when it needs them. It's not ideal, but at least the secrets aren't on disk of the webserver.

Good luck, have fun, stay safe.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
0

I wouldn't store it in a file on the server, but instead I would launch the server from a safe place with an ansible playbook that sets the environment variable for it based on an value encrypted with ansible-vault.

- name: pull image for database

  environment:

    POSTGRES_PASSWORD: "{{postgresql_password}}"

    POSTGRES_USER: "{{postgresql_user}}"

    POSTGRES_DB: "{{postgresql_database }}"

  docker_service:

    project_src: "{{ postgres_home }}"

    state: present

    pull: yes

    recreate: never

  notify: restart database
bbaassssiiee
  • 363
  • 1
  • 11