What is the best practice to store secret keys/api keys in production?

Question

For Node app, it is often discouraged to use .env library to store api keys in production. What is the best way to store the keys in production?

.env library is discouraged to be used in production for Node app.

Where is the production app running? Amazon EC2, Azure VM, somewhere else? — jarmod, Nov 03 '22 at 11:49
Some discussion [here](https://www.digitalocean.com/community/tutorials/an-introduction-to-managing-secrets-safely-with-version-control-systems#using-configuration-management-systems-for-secret-management). — jarmod, Nov 03 '22 at 16:23

score 1 · Answer 1 · answered Nov 03 '22 at 12:20

Generally, for production you'd store the env variables where the app would be hosted. For example:

Github Actions

You would use Encrypted secrets:

Encrypted secrets allow you to store sensitive information in your organization, repository, or repository environments.

Netlify

Just released Environment Variables on the root of a site's deploy side nav bar.

AWS

You would store your environment variables under Amplify, AWS hosting.

Heroku

Haven't used it for a project in awhile but per the docs you'd reference Configuration and Config Vars and there is a good question it, "How to set environment variables on Heroku for Node app and connect to the PostgreSQL database?"

Store Example

Another thing to keep in mind is make sure you're distinguishing between your prod and dev env variables as some use different variables in development. I do find it a good practice if bringing someone into an existing project to store a sampler file:

sample.env.md

## For Foo
FOO=

## For Bar
BAR=

.gitignore

Make sure to include this to prevent an accidental commit:

.env
.development.env
.test.env
.production.env

Doven · Answer 2 · 2022-11-03T12:02:07.930

0

Managing machine permissions for the production environment is even more important.

If only you have access to the production environment, there should be no problem writing the secret key to .env

However, you should be careful not to commit your production configuration to git. So you should have multiple configuration files locally for your debug environment or production environment

edited Nov 03 '22 at 12:02

answered Nov 03 '22 at 11:56

Doven

11
2

score 0 · Answer 3 · answered Nov 03 '22 at 12:21

Using .env files are somehow useful but are limited. I would suggest using proper application to achieve this.

Hashi Corp's Vault is very powerful tool to manage secrets. If you looking for open source alternative Key Whiz can be the solution. But I do not have production experience with it. I would like to use Vault over key whiz.