6

I use Heroku to deploy a Rails app. I store sensitive data such as API keys and passwords in Heroku's environment variables, and then use the data in rake tasks that utilize various APIs.

I am just wondering how secure Heroku's environmental variables are? Is there a way to hash these variables while retaining the ability to use them in the background somehow?

I came across a previous thread here: Is it secure to store passwords as environment variables (rather than as plain text) in config files?.

But it doesn't quite cover instances when I still need to unhashed password to perform important background tasks.

Community
  • 1
  • 1
tdkr
  • 309
  • 2
  • 11

2 Answers2

3

Several things (mostly my opinion):

--

1. API Key != Password

When you talk about API Keys, you're talking about a public token which is generally already very secure. The nature of API's nowadays is they need some sort of prior authentication (either at app or user level) to create a more robust level of security.

I would firstly ensure what type of data you're storing in the ENV variables. If it's pure passwords (for email etc), perhaps consider migrating your setup to one of the cloud providers (SendGrid / Mandrill etc), allowing you to use only API keys

The beauty of API keys is they can be changed whilst not affecting the base account, as well as limiting interactivity to the constrains of the API. Passwords affect the base account

--

2. ENV Vars are OS-level

They are part of the operating environment in which a process runs. For example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files, or the HOME or USERPROFILE variable to find the directory structure owned by the user running the process.

You must remember Environment Variables basically mean you store the data in the environment you're operating. The generally means the "OS", but can be the virtual instance of an OS too, if required.

The bottom line is your ENV vars are present in the core of your server. The same way as text files would be sitting in a directory on the hard drive - Environment Variables reside in the core of the OS

Unless you received a hack to the server itself, it would be very difficult to get the ENV variable data pro-grammatically, at least in my experience.

Richard Peck
  • 76,116
  • 9
  • 93
  • 147
  • Hi Rick, thanks for the reply. What I'm worried about is that the server could get hacked, exposing critical data in ENV. So far, I'm storing API keys from Mashape and a private key and email address from Google's API. I'm also storing credentials from an API that requires a username and password (which is poorly designed I guess). I'm not sure if storing the private key in ENV is such a good idea though. – tdkr Jul 06 '14 at 10:50
2

What are you looking for? Security against who or what?

Every piece of information store in a config file or the ENV is readable to everyone who has access to the server. And even more important, every gem can read the information and send it somewhere.

You can not encrypt the information, because then you need to store the key to decrypt somewhere. Same problem.

IMO both – environment variables and config files – are secure as long you can trust everyone that has access to your servers and you carefully reviewed the source code of all libraries and gems you have bundled with your app.

spickermann
  • 100,941
  • 9
  • 101
  • 131
  • Basically, I'd like to secure the ENV against anyone that gains access to the server. afaik, bcrypt seems to be the best way to secure important information, but it seems hashing is not reversible so there's no way to hash it while making it readily available for background tasks. – tdkr Jul 06 '14 at 10:31
  • Right, everyone that has access to the server can for example start a Rails console, take a look into the database or read every environment variable. When you think some unwanted got access to your server, the only option is: Setup an complete new server and change all api keys, password and other credentials. – spickermann Jul 06 '14 at 10:44