16

This site says it is best to keep API keys in environment variable out of the code. And here

Storing Credentials Securely

You should take great care to ensure your credentials are stored securely. If someone obtains your api_key or an access_token with the send or all permission, they will be able to send all the bitcoin out of your account.

In particular, you should avoid storing these credentials in your code base (which gets added to version control) or in your database unless you have encrypted them securely. Separating credentials from your code base and database is a good practice.

API key access is turned off by default on all accounts. So if you decide to do an API key integration, you will need to enable it first and take the necessary steps from then on to store it securely. You can always regenerate your API key (or disable it) if you feel it has been compromised.

However, whenever a program crashes, it often sends the environment as part of the crash report:

https://lists.launchpad.net/openjdk/msg01149.html

Environment Variables: ...

So... which is it? I don't see why storing keys in the environment is any safer than the source code. If someone gets to the system, they have access to both.

Chloe
  • 1,668
  • 3
  • 15
  • 30

2 Answers2

13

If your computer is able to use the API without a password, then the information has to be stored somewhere on your system. The point of storing it in the environment variable is to make it so that you don't check it in to the version control along with the source, however really, the ideal would be to use something like a HSM or TPM to store the API key in an encrypted manner that you can retrieve programmatically or store it on disk encrypted with the account credentials for the service or application that uses it.

I personally would be hesitant to use environment variables, but if you are only worried about accidentally revealing the key (and not local security for someone with access to your box) then it is one option for how to separate the code and keys, just not the best one.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
2

Using environment variables could be exceptionally bad advice. As you note yourself, environment variables may be revealed in certain circumstances, and within the PHP world for example, a phpinfo page that you may be asked to provide as part of a support process to a 3rd party would do this. Also consider how and when the environment variable would be set. If it is set when the web server starts, the variable could be visible to any script that runs. When a hacker exploits a site weakness to deposit an arbitrary script that they can run (recent estimates say that 10's of thousands of sites are breached daily), they may be able to obtain the key in seconds. If instead the key is set from a file within a single and ideally obscure part of the codebase, and perhaps by protected or native code, it could take much longer before the hacker can identify the key. If you have good intrusion detection in place, there's also a good chance that you'll be able to block them before they have been able to analyse your site to locate where the key is set. Disclosure: I am associated with ionCube.

Nick
  • 521
  • 3
  • 8