无法理解在哪里存储私钥
[英]Having trouble understanding where to store private keys
问题描述
I am having an issue determining how to store API keys or other private information correctly.
我在确定如何正确存储 API 密钥或其他私人信息时遇到问题。 I have a helper library for a large set of inner-facing company applications that calls an external API for emailing and must have access to the API key.我有一个帮助库,用于大量面向内部的公司应用程序,这些应用程序调用外部 API 来发送电子邮件,并且必须能够访问 API 密钥。 I store this key in a shared configuration file used by these applications.我将此密钥存储在这些应用程序使用的共享配置文件中。 If I wanted to further secure the key by encrypting it or moving it to a service like Azure Key Vault, I then am stuck with the dilemma of having simply complicated the problem because I now have the private key for that encryption or the key to access Azure Key Vault that I now need to secure.如果我想通过加密或将其移动到 Azure Key Vault 之类的服务来进一步保护密钥,那么我就会陷入将问题简单地复杂化的困境,因为我现在拥有用于该加密的私钥或可以访问的密钥我现在需要保护的 Azure Key Vault。 Because this type of issue is so common I am assuming I am missing something here.因为这类问题很常见,所以我假设我在这里遗漏了一些东西。 Each time I try to further encrypt or otherwise secure a key I am simply adding another layer of the same problem.每次我尝试进一步加密或以其他方式保护密钥时,我只是添加了同一问题的另一层。 I still end up with a private key sitting somewhere in plain text.我最终还是得到了一个以纯文本形式存在的私钥。 Is it the case that having a plain text key in an otherwise secure environment is just not an issue after all?在其他安全的环境中拥有纯文本密钥是否根本不是问题?
I would like to point out that I cannot use Environment Variables or some of the other tools I have seen to secure keys on the machine as these applications can be run on any number of terminal servers or local machines throughout the company.我想指出,我不能使用环境变量或我见过的其他一些工具来保护机器上的密钥,因为这些应用程序可以在整个公司的任意数量的终端服务器或本地机器上运行。 Most are click-once Dot Net applications written in .Net 4.5 and can run anywhere in our environment, some by any user in our domain.大多数是用 .Net 4.5 编写的单击一次的 Dot Net 应用程序,可以在我们环境中的任何地方运行,其中一些可以由我们域中的任何用户运行。
1 个解决方案
解决方案1
0 已采纳 2022-04-25 04:27:02
I don't use azure but I assume Azure Key Vault is very similar to AWS Secrets Manager which is exactly the thing I would use (I wrote about one use case for storing Amplitude API keys on my blog ).我不使用 azure,但我认为 Azure Key Vault 与AWS Secrets Manager非常相似,这正是我将使用的东西(我在我的博客上写了一个用于存储 Amplitude API 密钥的用例)。
Why is this better than simply having the key lying around in a file?为什么这比简单地将密钥放在文件中更好?
- Simplified key distribution: you don't need to download the key on all the machines简化密钥分发:您无需在所有机器上下载密钥
- Improved security: you simply load the key at runtime, no need to have the key lying on the disk forever提高安全性:您只需在运行时加载密钥,无需将密钥永远放在磁盘上
Note there's not much point in double-encrypting the key as you mentioned.请注意,您提到的双重加密密钥没有多大意义。 That's just increasing complexity without improving the security of the solution much.这只是增加了复杂性,而没有大大提高解决方案的安全性。 Also, in case of AWS, you would specify a very granular IAM policy/permissions for accessing the specific secret and attach the policy to the IAM role assigned to the instances needing to work with the key.此外,在 AWS 的情况下,您将指定一个非常精细的 IAM 策略/权限来访问特定的密钥,并将该策略附加到分配给需要使用密钥的实例的 IAM 角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.