7

I have a Django app that uses some secret keys (for example for OAuth2 / JWT authentication). I wonder where is the right place to store these keys.

Here are the methods I found so far:

  1. Hardcoding: not an option, I don't want my secrets on the source control.
  2. Hardcoding + obfuscating: same as #1 - attackers can just run my code to get the secret.
  3. Storing in environment variables: my app.yaml is also source-controlled.
  4. Storing in DB: Not sure about that. DB is not reliable enough in terms of availability and security.
  5. Storing in a non-source-controlled file: my favorite method so far. The problem is that I need some backup for the files, and manual backup doesn't sound right.

Am I missing something? Is there a best practice for storing secret keys for Django apps or App Engine apps?

Tzach
  • 12,889
  • 11
  • 68
  • 115
  • What could you possibly mean by saying the datastore is not reliable enough? It has 99.999% availability. – Daniel Roseman Nov 30 '14 at 14:10
  • @DanielRoseman I'm not using the datastore. I'm using Cloud Sql. – Tzach Nov 30 '14 at 14:13
  • Not sure how the App Engine works, but storing passwords etc can be easily be stored in environment variables, which are not source controlled. At least that's how it works on any normal Linux environment. – dan-klasson Nov 30 '14 at 14:20
  • Possible duplicate of [GAE: best practices for storing secret keys?](http://stackoverflow.com/questions/6501234/gae-best-practices-for-storing-secret-keys) – mgojohn Apr 07 '17 at 19:46

2 Answers2

0

You can hardly hide the secret keys from an attacker that can access your server, since the server needs to know the keys. But you can make it hard for an attacker with low privileges.

Obfuscating is generally not considered as a good practice.

Your option 5 seems reasonable. Storing the keys in a non-source controlled file allows to keep the keys in a single and well-defined place. You can set appropriate permissions on that file so that an attacker would need high privileges to open it. Also make sure that high privileges are required to edit the rest of the project, otherwise, the attacker could modify a random file of the project to access the keys.

I myself use your option 5 in my projects.

mimo
  • 2,469
  • 2
  • 28
  • 49
  • Tony, how do you backup the files? – Tzach Nov 30 '14 at 14:23
  • @Tzach In my case, I don't need to backup the secret file: if the server crashes, I just generate new keys. If you need a backup of the keys, I suppose that you would need to save them manually in a safe place. – mimo Nov 30 '14 at 14:29
0

A solution I've seen is to store an encrypted copy of the secret configuration in your repository using gpg. Depending on the structure of your team you could encrypt it symmetrically and share the password to decrypt it or encrypt it with the public keys of core members / maintainers.

That way your secrets are backed up the same way your code is without making them as visible.

zvyn
  • 706
  • 8
  • 17