36

I'm trying to build a node.js server with express framework, and I want to store a private key for admin APIs in my server.
I'm now using .env file to store those values, and in my routes, using that values by calling like process.env.ADMIN_KEY.

Question
Is it secure way to handle private datas? or there's another way better than this?

hyojoon
  • 493
  • 1
  • 6
  • 17

5 Answers5

49

It is more secure to store your secrets in a .env file than in the source code itself. But you can do one better. Here are the ways I've seen secrets managed, from least to most secure:

  1. Hard-code the secrets in the code.

    • Pros: None. Don't do this.
    • Cons: Your developers will see your production secrets as part of their regular work. Your secrets will be checked into source control. Both are security risks. Also, you have to modify the code to use it in different environments, like dev, test, and production.

  2. Put secrets in environment variables, loaded from a .env file.

    • Pros: Developers won't see your production secrets. You can use different secrets in dev, test, and production, without having to modify the code.
    • Cons: Malicious code can read your secrets. The bulk of your application's code is probably open-source libraries. Bad code may creep in without you knowing it.

  3. Put secrets in a dedicated secret manager, like Vault by HashiCorp or Secret Manager by Google Cloud.

    • Pros: It's harder for malicious code to read your secrets. You get auditing of who accessed secrets when. You can assign fine-grained roles for who updates secrets and who can read them. You can update and version your secrets.
    • Cons: It's additional technology that you have to learn. It may be an additional piece of software that you need to set up and manage, unless it's included in the cloud platform you're using.

So the choice is really between items 2 and 3 above. Which one you pick will depend on how sensitive your secrets are and how much extra work it would be to use a dedicated secret manager. For example, if your project is running on Google Cloud Platform, the Secret Manager is just one API call away. It may be just as easy on the other major cloud platforms, but I don't have first-hand experience with them.

Sam Herrmann
  • 6,293
  • 4
  • 31
  • 50
Martin Omander
  • 3,223
  • 28
  • 23
  • what is the use of creating env file on a private codebase? – Jobin S Nov 18 '21 at 17:12
  • 3
    @JobinS development and testing purposes – riccardogabellone Jan 19 '22 at 23:44
  • 2
    @JobinS Many people use different databases in dev, test, and prod environments. So you'd need different database addresses and passwords for these three environments. – Martin Omander Sep 07 '22 at 00:23
  • 1
    But where would you store the api key password? If they can find that, they can access the API and still get all the secrets, no? – SaroGFX Sep 20 '22 at 14:15
  • 1
    @SaroVerhees On Google Cloud your code runs as a service account, which has certain privileges determined by the admin. There is no need to supply an API key. – Martin Omander Oct 14 '22 at 00:35
  • @SaroGFX you're absolutely right. Indeed env vars are susceptible to be stolen, so being them the actual api keys, passwords and so on, that you put in a secure store, or the secure store access keys and passwords to get them, they can get stolen. You just added an extra step to the keys, not any actual level of security, now you also gave them access to the secure store. In case of Kubernetes for the app deployment, using by env file you can get the env file with just an exec command. So in the end Access points to your app are more important to secure.. Tls etc etc. – Vincenzo Aug 17 '23 at 18:56
12

Simple answer is YES, .env is used to store keys and secrets. It is not pushed to your repo i.e. github or bitbucket or anywhere you store your code. In that way it is not exposed.

Here are the tutorial links for correct usage:

Zeeshan Hassan Memon
  • 8,105
  • 4
  • 43
  • 57
  • 1
    Most secure way if you are using EBS, store all the secret env under EBS environment variables. And I am sure for other nodejs hosting services have the same capabilities. – Abhik Chakraborty Feb 23 '20 at 10:08
  • I'm confused if it's not pushed to github and I use github repo as source for deployment on some cloud hosting, how will my deployed project use those secret values that lies within that `.env`? – Yves Ng Jun 15 '21 at 10:36
  • 4
    @YvesNg if you're using physical or virtual machine i.e. EC2 or Azure VM etc then you can login in to the server then where your code/repo resides create .env and copy-past its contents. If you're using PaaS i.e. Heroku or something else then you can directly manage en variables without using .env file because they provide option for it. – Zeeshan Hassan Memon Jun 15 '21 at 18:50
  • @ZeeshanHassanMemon so that means manually adding a number of variables. neat xD – Yves Ng Jun 16 '21 at 11:10
  • what is the use of creating env file on a private codebase? – Jobin S Nov 18 '21 at 17:12
  • It is a possible way of keeping secrets hidden and also a way to manage the environment without polluting global stuff. – Zeeshan Hassan Memon Nov 18 '21 at 18:23
3

Secrets stored in environment variables are in risk of getting exposed (for non-private node apps) as for example libraries you use might print the environment into the log in case of an error. So it would be more safe to store them in a file outside of source control and import it where needed.

https://movingfast.io/articles/environment-variables-considered-harmful/

luigisuncorner
  • 51
  • 4
1

It is yes. An additional security check can be added by using encrypted values. Also avoid to checkin your .env file in public repo.

Hallah
  • 111
  • 4
0

You can and should store secrets, credentials or private data securely inside a .env is a secure environment config section in your projects, useful for storing API keys and app credentials. Only invited collaborators are able to see the contents of your .env file.

Bioukh
  • 1,888
  • 1
  • 16
  • 27
Tushar
  • 54
  • 4