How to secure important credentials (used in Node.js application code) in separate side utility

November 6, 2017 132 views
Linux Commands Node.js Linux Basics Security Ubuntu 16.04

I have a special requirement, have gone through the site but have not found any matching my need. I want to secure:

  • DB Connection Credentials
  • Session Secret Key
  • Security Token, Encryption/Decryption Keys
  • 3rd Party API credentials

I do not want these important credentials written or visible in my Node.js application code. However, it is recommended that I store these important credentials and keys in a separate utility. I wonder where and how I should store these credentials in what way, that it returns decryption information to my Node.js application.

In my mind there are number of possible ways:

  1. Use any Linux utility which does required job for me, and this way I can run Linux commands directly in my Node.js application and get the output for use.
  2. Use any C++ program on my Linux machine that does the required job for me?
  3. Or could I use PHP script that hold the important credentials in encrypted format, and return me decrypted credentials when required.
  4. Use any 3rd party program/service on the server?
  5. By use Docker Container? (https://security.stackexchange.com/a/157162/137890)
  6. By holding credentials file in any other machine, then on Node.js application boot/start, we follow Master, client process strategy. In this strategy, mount the credentials file, read and load the credentials in memory/variables, then unmount the credentials file. And initiate the child Process that actually run our Node.js Application (which will get the connectivity credentials from Master process).

Please advise with your appropriate solutions, this is important so in case of any hack attempt my other communication servers(DB Server, API Server, etc) remain secure.

This is related to: http://cwe.mitre.org/data/definitions/259.html
But looking for a sulution in the domain/boundary of Node.js / Linux.

1 Answer

There's no universal solution to this problem but let's try to sketch out something..

One of the Linux utilities could be environmental variables. You put them directly on the system running and they're not in code. However, it's really big security risk to store sensitive data in environmental variables as anybody and any program can read them.
As your data is sensible, this solution you should not use it.

So, as you want to keep secrets out of the code, it's probably good idea to use some third party utility.

Writing C++ program or PHP script could work, but keep in mind that writing your own encrypting solutions and so is almost always bad idea.

It's best idea to use something already available such as Hashicorp's Vault. You can play around their API to make it work with Node.js. There's also some of the Node.js+Vault solutions available such as node-vault, but I'm not sure does it have all features.

There's a great article, An Introduction to Managing Secrets Safely with Version Control Systems, on our community about storing sensible data, covering VCS, Vault and such solutions, which you should read if you didn't already.

Version control software (VCS) is an essential part of most modern software development practices. Among other benefits, software like Git, Mercurial, Bazaar, Perforce, CVS, and Subversion allow developers to save snapshots of their project history to enable better...
Have another answer? Share your knowledge.