How to secure important credentials (used in Node.js application code) in separate side utility

Posted November 6, 2017 26.8k views
Linux BasicsNode.jsSecurityLinux CommandsUbuntu 16.04

I have a special requirement, have gone through the site but have not found any matching my need. I want to secure:

  • DB Connection Credentials
  • Session Secret Key
  • Security Token, Encryption/Decryption Keys
  • 3rd Party API credentials

I do not want these important credentials written or visible in my Node.js application code. However, it is recommended that I store these important credentials and keys in a separate utility. I wonder where and how I should store these credentials in what way, that it returns decryption information to my Node.js application.

In my mind there are number of possible ways:

  1. Use any Linux utility which does required job for me, and this way I can run Linux commands directly in my Node.js application and get the output for use.
  2. Use any C++ program on my Linux machine that does the required job for me?
  3. Or could I use PHP script that hold the important credentials in encrypted format, and return me decrypted credentials when required.
  4. Use any 3rd party program/service on the server?
  5. By use Docker Container? (
  6. By holding credentials file in any other machine, then on Node.js application boot/start, we follow Master, client process strategy. In this strategy, mount the credentials file, read and load the credentials in memory/variables, then unmount the credentials file. And initiate the child Process that actually run our Node.js Application (which will get the connectivity credentials from Master process).

Please advise with your appropriate solutions, this is important so in case of any hack attempt my other communication servers(DB Server, API Server, etc) remain secure.

This is related to:
But looking for a sulution in the domain/boundary of Node.js / Linux.

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
2 answers

It’s a bit late, but I created a node package for that: schluessel

It’s inspired by the Ruby on Rails approach to store credentials in your code:
Your secrets get encrypted, so you can safely push your encrypted vault file to your Repo, as long as you keep the key out of it.
You can access your secrets then by just surrendering the key via an environment variable.

There’s no universal solution to this problem but let’s try to sketch out something..

One of the Linux utilities could be environmental variables. You put them directly on the system running and they’re not in code. However, it’s really big security risk to store sensitive data in environmental variables as anybody and any program can read them.
As your data is sensible, this solution you should not use it.

So, as you want to keep secrets out of the code, it’s probably good idea to use some third party utility.

Writing C++ program or PHP script could work, but keep in mind that writing your own encrypting solutions and so is almost always bad idea.

It’s best idea to use something already available such as Hashicorp’s Vault. You can play around their API to make it work with Node.js. There’s also some of the Node.js+Vault solutions available such as node-vault, but I’m not sure does it have all features.

There’s a great article, An Introduction to Managing Secrets Safely with Version Control Systems, on our community about storing sensible data, covering VCS, Vault and such solutions, which you should read if you didn’t already.

by Justin Ellingwood
Version control software (VCS) is an essential part of most modern software development practices. Among other benefits, software like Git, Mercurial, Bazaar, Perforce, CVS, and Subversion allow developers to save snapshots of their project history to enable better...