How do you hide an API's secret keys?


#1

I’m most familiar with writing server side code in node.js. When connecting to an external API, it’s best to keep secret keys, api keys, etc stored as environment variables. I typically use dotenv. This allows me to keep my .env file excluded from my git repository. That way, the keys are secure. I’m sure many of us know, this is an important approach to keeping sensitive data hidden.

Unfortunately, none of the modules I’ve seen work out of the box with Ionic 2. So, how do I hide an API’s secret keys?


#2

Here’s a way to hook up dotenv with Ionic 2, although an official solution is also underway.

While .env files are ok for most cases (including yours), for more advanced use cases, like keys shared between apps, etc one may consider Hashicorp Vault.


#3

I’ll look into the first solution.

How does Vault keep the keys secure? As I read through the docs, you still need to store the Vault secret within your app. So doesn’t that just add a step to the process? It does add a lot of management options, but I’m just talking about keeping the key secure.


#4

If you’re concerned about somebody extracting the key from a compiled APK, there isn’t really any way to prevent that. If you control the backend, there are ways (JWT, for instance) to obviate needing to store secrets in the app binary.


#5

As I said before, it is advised to use the .env solution since, as you noticed, is much more streamlined.


Now in a Hashicorp Vault approach, you would have a remote Vault server that holds all the secrets needed to build your app. You as well as other employees for example could have access to the same or a different collection of secrets, your access leased for a specific time period, each time you ask for a secret it is logged and all of these may be done without you ever being able to know the actual value of a secret e.g. an API key. The actual secret values are inserted in the code automatically.

So what you would do when you open your laptop to work would be to login a terminal to the remote Vault server with something like vault auth d08e2bd5-ffb0-440d-6486-b8f650ec8c0c (that is an example token that may be given to you by your manager) and then you can proceed with ionic build android --release etc…

Now I wouldn’t like to go in more detail, since we are already way off topic. For more info on Hashicorp Vault authentication go here.