All geek questions in one place

Keeping client secrets in a Django app in App Engine

I have a Django application that uses some secret keys (e.g. for OAuth2 / JWT authentication). I wonder where is the place to store these keys.

Here are the methods that I have found so far:

  • Hardcoding : not an option, I don't need my secrets in the original control.
  • Hardcoding + obfuscating : same as # 1 - attackers can just run my code to get a secret.
  • Saving in environment variables : my app.yaml also controlled by the source.
  • DB storage : not sure about that. The database is not reliable enough in terms of accessibility and security.
  • Saving to a file not controlled by source code : my favorite method. The problem is that I need a backup for the files, and a manual backup does not sound right.

Am I missing something? Is there a best practice for storing private keys for Django apps or App Engine apps?

+6
source share
2 answers

It is hardly possible to hide secret keys from an attacker who could gain access to your server, because the server needs to know the keys. But you can make it difficult for an attacker with low privileges.

Obfuscation is not usually considered good practice.

Your option 5 seems reasonable. Storing keys in a file that is not controlled by the source allows you to store keys in one and a specific place. You can set appropriate permissions for this file so that an attacker needs high privileges to open it. Also make sure that editing the rest of the project requires high privileges, otherwise the attacker could modify a random project file to access the keys.

I myself use your option 5 in my projects.

0
source

The solution I saw was to store an encrypted copy of the secret configuration in your repository using gpg. Depending on the structure of your team, you can encrypt it symmetrically and share a password to decrypt it or encrypt it using the public keys of the main members / maintainers.

Thus, your secrets will be maintained in the same way as your code, without making them visible.

0
source

Source: https://habr.com/ru/post/978896/

More articles:


All Articles