

Ask HN: What are the best practices for storing API keys? - loourr

If I have a web service which uses other 3rd party API and I want to store the keys securely, what are the best practices around that?<p>I&#x27;ve looked at vault (https:&#x2F;&#x2F;hashicorp.com&#x2F;blog&#x2F;vault.html) which seems ideal but still in production.<p>Also AWS&#x27;s Key Management system (KMS)(https:&#x2F;&#x2F;aws.amazon.com&#x2F;kms&#x2F;) seems promising but only provides ways to store native AWS keys. Would I then create a database which held the keys encrypted using KMS keys and SQL access keys?
======
SEJeff
Another option, which is used in production by cloudflare:

[https://github.com/cloudflare/redoctober](https://github.com/cloudflare/redoctober)

~~~
loourr
Thanks, this looks useful.

------
hoare
about how many api keys are we talking? im using enviroment variables for the
job. Might not be manageable if you have many keys though

~~~
loourr
like 20+. That seems hard since you'd have to make sure the keys didn't show
up in any of your logs.

