Ask HN: Best practice for storing API keys securely in a B2B SaaS

Readit News

Posted by u/securityquest 4 years ago

My company builds B2B software that has integrations with other systems. These usually require an API key or similar.

When connecting to these systems, we need the API key as plain text.

What is the best practice for storing integrations API keys?

Storing it as plain text in our DB, might be risky in case our DB is compromised.

Thanks

lioeters · 4 years ago

API keys are typically stored as environment variables:

https://help.openai.com/en/articles/5112595-best-practices-f...

ayi · 4 years ago

Deploying them as ENV values and reading from env is the best practice as far as I know. But "deploying" part depends on your infrastructure.

securityquest · 4 years ago

Do you store them as plaintext in the backend db?

tedyoung · 4 years ago

Often keys are stored in some sort of secure Key Vault. This is part of the infrastructure, e.g., Azure Key Vault. Or something like https://www.vaultproject.io/docs/secrets