Question

How to secure important credentials (used in Node.js application code) in separate side utility

I have a special requirement, have gone through the site but have not found any matching my need. I want to secure:

  • DB Connection Credentials
  • Session Secret Key
  • Security Token, Encryption/Decryption Keys
  • 3rd Party API credentials

I do not want these important credentials written or visible in my Node.js application code. However, it is recommended that I store these important credentials and keys in a separate utility. I wonder where and how I should store these credentials in what way, that it returns decryption information to my Node.js application.

In my mind there are number of possible ways:

  1. Use any Linux utility which does required job for me, and this way I can run Linux commands directly in my Node.js application and get the output for use.
  2. Use any C++ program on my Linux machine that does the required job for me?
  3. Or could I use PHP script that hold the important credentials in encrypted format, and return me decrypted credentials when required.
  4. Use any 3rd party program/service on the server?
  5. By use Docker Container? (https://security.stackexchange.com/a/157162/137890)
  6. By holding credentials file in any other machine, then on Node.js application boot/start, we follow Master, client process strategy. In this strategy, mount the credentials file, read and load the credentials in memory/variables, then unmount the credentials file. And initiate the child Process that actually run our Node.js Application (which will get the connectivity credentials from Master process).

Please advise with your appropriate solutions, this is important so in case of any hack attempt my other communication servers(DB Server, API Server, etc) remain secure.

This is related to: http://cwe.mitre.org/data/definitions/259.html But looking for a sulution in the domain/boundary of Node.js / Linux.


Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

There’s no universal solution to this problem but let’s try to sketch out something…

One of the Linux utilities could be environmental variables. You put them directly on the system running and they’re not in code. However, it’s really big security risk to store sensitive data in environmental variables as anybody and any program can read them. As your data is sensible, this solution you should not use it.

So, as you want to keep secrets out of the code, it’s probably good idea to use some third party utility.

Writing C++ program or PHP script could work, but keep in mind that writing your own encrypting solutions and so is almost always bad idea.

It’s best idea to use something already available such as Hashicorp’s Vault. You can play around their API to make it work with Node.js. There’s also some of the Node.js+Vault solutions available such as node-vault, but I’m not sure does it have all features.

There’s a great article, An Introduction to Managing Secrets Safely with Version Control Systems, on our community about storing sensible data, covering VCS, Vault and such solutions, which you should read if you didn’t already.

It’s a bit late, but I created a node package for that: schluessel

It’s inspired by the Ruby on Rails approach to store credentials in your code: Your secrets get encrypted, so you can safely push your encrypted vault file to your Repo, as long as you keep the key out of it. You can access your secrets then by just surrendering the key via an environment variable.