[英]Where to keep private keys and credentials for a web app?
I have a webapp that uses keys and credentials to call API endpoints from external services like payment gateways, database providers, and such. 我有一个Web应用程序,该应用程序使用键和凭据从诸如支付网关,数据库提供者之类的外部服务调用API端点。
I have these options in mind to keep these values: 我谨记以下这些选项来保持这些值:
Which of these should I use if I want to keep keys as safe and secure as possible? 如果我想尽可能安全地保管钥匙,应该使用哪个?
I would go with user environment variables , as it is recommended by both google and amazon . 我会使用用户环境变量 ,这是google和amazon都建议的。
If you go for storing in plain text files, remember to not keep them in your app's source tree (if you use some version control, you may end up exposing them to public). 如果要存储为纯文本文件,请记住不要将其保留在应用程序的源代码树中(如果使用某些版本控制,则可能最终将其公开)。
Also, remember to regenerate your keys periodically. 另外,请记住要定期重新生成密钥。
I think you should, as you said, use configuration files. 我认为您应该像您所说的那样使用配置文件。 And maybe encrypt it ? 也许加密它?
If you have lots of keys to manage, environment variables get clumsy. 如果要管理很多键,则环境变量会变得笨拙。 A hybrid approach works for me: encrypt the secrets and put them all in config (typically as base64). 混合方法对我有用:加密秘密并将其全部放入config(通常为base64)中。 Use the same encryption key for all of them, and pass it in as an environment variable. 对所有密钥使用相同的加密密钥,并将其作为环境变量传递。
So you only need to make one environment variable to secure as many other secrets as you need. 因此,您只需要设置一个环境变量即可根据需要保护尽可能多的其他机密。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.