Questions tagged [secret-key]

A secret key is a piece of data that is known by a limited number of users / programs and that participates in protecting information (or access to the information). Unlike passwords which are meant to be input by users and verified by matching, secret keys are usually read from storage and are an active part of an algorithm to decrypt the protected information. Use this tag for questions related to the creation, storage and usage of secret keys.

A secret key is a piece of data that is known by a limited number of users / programs and that participates in protecting information (or access to the information).

Unlike passwords which are meant to be input by users and verified by matching, secret keys are usually read from storage and are an active part of an algorithm to decrypt the protected information.

The secret key can be used both to encrypt and decrypt the information, in which case only the owners of the secret key can communicate to each other; or it can be used in association with a public-key, in which case anyone can encrypt data that can then be read only by the owners of the secret key.

Use this tag for questions related to the creation, storage and usage of secret keys.

632 questions

143

votes

3 answers

How do API Keys and Secret Keys work? Would it be secure if I have to pass my API and secret keys to another application?

I am just starting to think about how api keys and secret keys work. Just 2 days ago I signed up for Amazon S3 and installed the S3Fox Plugin. They asked me for both my Access Key and Secret Access Key, both of which require me to login to…

security amazon-s3 passwords api-key secret-key

asked Apr 20 '10 at 10:57

Lance

75,200
93
289
503

124

votes

5 answers

Best practices for server-side handling of JWT tokens

(spawned from this thread since this is really a question of its own and not specific to NodeJS etc) I'm implementing a REST API server with authentication, and I have successfully implemented JWT token handling so that a user can login through a…

security authentication token jwt secret-key

asked May 29 '15 at 07:06

JHH

8,567
8
47
91

122

votes

4 answers

Why use an API key and secret?

I came across many APIs that give the user both an API key and a secret. But my question is: what is the difference between both? In my eyes, one key can be enough. Say I have a key and only I and the server know it. I create a HMAC hash with this…

authentication security api-key secret-key

asked Jul 19 '12 at 09:38

EsTeGe

2,975
5
28
42

votes

12 answers

How to hide .env passwords in Laravel whoops output?

How can I hide my passwords and other sensitive environment variables on-screen in Laravel's whoops output? Sometimes other people are looking at my development work. I don't want them to see these secrets if an exception is thrown, but I also don't…

php laravel environment-variables secret-key whoops

asked Sep 25 '17 at 13:57

Jeff Puckett

37,464
17
118
167

votes

1 answer

Why does my AES encryption throws an InvalidKeyException?

I'm currently working on a function that encrypt/decrypts a specific file with a secret key. I have written three classes, one which generates a key, one which encrypts a file with the key and one that decrypts. Generating the key and encrypting the…

java encryption aes secret-key

asked Jul 12 '11 at 18:29

John Snow

5,214
4
37
44

votes

3 answers

Secure keys in iOS App scenario, is it safe?

I am trying to hide 2 secrets that I am using in one of my apps. As I understand the keychain is a good place but I can not add them before I submit the app. I thought about this scenario - Pre seed the secrets in my app's CoreData Database by…

ios security authentication api-key secret-key

asked Feb 08 '13 at 17:50

shannoga

19,649
20
104
169

votes

4 answers

How to store a secret API key in an application's binary?

I am creating a Twitter client for Mac OS X and I have a Consumer secret. It's to my understanding I should not share this secret key. The problem is that when I put it as a string literal into my application and use it, like this: #define…

twitter binary api-key secret-key

asked Apr 02 '11 at 19:17

user142019

votes

1 answer

convert Byte Array to Secret Key

I've been trying to convert a byte array to its original SecretKey, but I've no more ideas left. The most promising attempt was this one: byte[] encodedKey = Base64.decode(stringKey); SecretKey originalKey = SecretKeySpec(encodedKey, 0,…

java byte secret-key

asked Jan 07 '13 at 21:35

Horstus Horax

votes

3 answers

What should be the "Secret" in JWT?

I am going to apply JWT into my REST API developed using Java-Jersey. I am using this library for JWT - https://github.com/auth0/java-jwt I have few questions about the JWT - Secret Does this Secret has to be unique? Shall I use the hashed version…

java rest jwt secret-key

asked Mar 16 '17 at 05:51

PeakGen

21,894
86
261
463

votes

5 answers

In iOS, how can I store a secret "key" that will allow me to communicate with my server?

I want to store a secret key ("abc123") that I will use in the header of my REST API requests. My server will check this secret key. If it matches "abc123", then allow the request to be made. I'm thinking about a simple solution like: let secret =…

ios security cryptography api-key secret-key

asked Apr 20 '15 at 23:27

TIMEX

259,804
351
777
1,080

votes

2 answers

PBKDF2WithHmacSHA512 Vs. PBKDF2WithHmacSHA1

I'm working on a Java authentication subsystem that specs the storage of passwords in the DB as PBKDF2-generated hashes, and I'm now trying to decide whether I should use SHA1 or SHA512 as PRF. I went through the specs of both but they are very…

java pbkdf2 secret-key javax.crypto

asked Oct 13 '13 at 18:09

DTs

1,196
1
11
28

votes

2 answers

What is the appropriate way to manage API secrets within a Google Apps script?

If I write a google apps script, and within the script I need to invoke third party APIs or make database calls, what is the appropriate way of managing secret API keys and passwords? Is there any risk in placing the secrets directly within the…

security google-apps-script authorization secret-key key-management

asked Nov 07 '18 at 20:51

Master_Yoda

1,092
2
10
18

votes

9 answers

Azure App registration Client secrets expiration

Has Microsoft changed the expiration date for Client secrets to be max 2 years? It is not possible to select "Never" anymore?

azure azure-active-directory secret-key

asked Apr 13 '21 at 12:36

Loc Dai Le

1,661
4
35
70

votes

3 answers

Making a Git project open source when you have secret keys

I have a project on GitHub behind a private repository. I want to make the repo public. However, my project uses secret keys. How can I make the project public while still protecting the "history" of those secret keys? I'm guessing I'm SOL, and…

git api open-source github secret-key

asked Nov 04 '10 at 21:26

user213345

votes

2 answers

How to access secrets when using flutter web with github actions

I have a flutter web app and for accessing the database I have hardcoded an APIKey in a secrets.dart file, And this works perfectly fine. I have added this file to .gitignore in order to prevent it from pushing it to version control. But when it…

flutter github-actions flutter-web secret-key

asked Jun 14 '21 at 02:23

Mahesh Jamdade

17,235
8
110
131

2 3

…

42 43 Next