英文:
Where to keep private keys and credentials for a web app?
问题
我有一个使用密钥和凭据调用外部服务的网络应用程序,例如支付网关、数据库提供商等。
我考虑以下几种方式来保存这些值:
- 在应用程序启动之前设置环境变量,并在应用程序运行时加载它们。如果必需的值不可用,例如未设置,退出应用程序。
- 在应用程序启动时,要求用户(包括我自己或管理员)输入凭据。如果必填字段为空,退出应用程序;否则继续加载应用程序。
- 将它们保存在配置文件中作为明文值。对我来说,这是最不理想的方式。
如果我希望尽可能安全地保留密钥,我应该使用哪种方式?
英文:
I have a webapp that uses keys and credentials to call API endpoints from external services like payment gateways, database providers, and such.
I have these options in mind to keep these values:
- Set environmental variables before app start and load them when the app runs. If required values are not available, e.g. not set, exit the app.
- On app start, ask user (myself or an administrator) to enter the credentials. If required fields are empty, exit, otherwise continue loading the app.
- Keep them in a config file as plain values. This is the least preferable way as to me.
Which of these should I use if I want to keep keys as safe and secure as possible?
答案1
得分: 2
我会选择使用用户环境变量,因为这是谷歌和亚马逊都推荐的做法。
如果你选择将其存储在纯文本文件中,请记住不要将它们放在应用程序的源代码树中(如果你使用某种版本控制,可能会导致它们暴露给公众)。
此外,记得定期重新生成你的密钥。
英文:
I would go with user environment variables, as it is recommended by both google and amazon.
If you go for storing in plain text files, remember to not keep them in your app's source tree (if you use some version control, you may end up exposing them to public).
Also, remember to regenerate your keys periodically.
答案2
得分: 1
我认为你应该像你说的那样使用配置文件。也许可以对其进行加密?
英文:
I think you should, as you said, use configuration files. And maybe encrypt it ?
答案3
得分: 0
如果你有很多密钥需要管理,环境变量会变得笨拙。对我来说,采用混合方法是有效的:加密这些秘密并将它们全部放在配置文件中(通常以base64格式)。对所有秘密使用相同的加密密钥,并将其作为环境变量传递。
因此,你只需要创建一个环境变量来保护你所需的其他许多秘密。
英文:
If you have lots of keys to manage, environment variables get clumsy. A hybrid approach works for me: encrypt the secrets and put them all in config (typically as base64). Use the same encryption key for all of them, and pass it in as an environment variable.
So you only need to make one environment variable to secure as many other secrets as you need.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论