Comment on How to store user's access tokens/API keys without hashing them?

MajorHavoc@lemmy.world ⁨1⁩ ⁨year⁩ ago

Someone wants you to use this WSSE? I would brush up your resume and start interviewing - it sounds like that place is on track for a “we liquidated our internal IT and now pay a consulting firm” level of security event.

In the meantime, If you have to store a non-rolling API secret for your app to use, and it’s going to live a long time (not regenerated), then you need to secure the entire environment that has access to that secret. Any additional local reversible encryption is just security theater.

In this scenario, you need a popular modern well supported password vault soltion. Do not attempt to roll your own. The purpose of this vault is not to protect the secret, it is to quickly reset the secret* when it inevitably eventually gets compromised.

You must do frequent tests of replacing this secret, in production, with a new one. This is not theoretical. You will eventually either test it on your own terms, or on the badguys’ terms.

Good luck, you’re going to need it.

source
Sort:hotnewtop