Ask HN: What are the best practices for storing API keys? | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		Ask HN: What are the best practices for storing API keys?
		7 points by loourr on May 27, 2015 \| hide \| past \| favorite \| 4 comments
		If I have a web service which uses other 3rd party API and I want to store the keys securely, what are the best practices around that? I've looked at vault (https://hashicorp.com/blog/vault.html) which seems ideal but still in production. Also AWS's Key Management system (KMS)(https://aws.amazon.com/kms/) seems promising but only provides ways to store native AWS keys. Would I then create a database which held the keys encrypted using KMS keys and SQL access keys?

SEJeff on May 27, 2015 | [–]

Another option, which is used in production by cloudflare:

https://github.com/cloudflare/redoctober

loourr on May 27, 2015 | | [–]

Thanks, this looks useful.

hoare on May 27, 2015 | [–]

about how many api keys are we talking? im using enviroment variables for the job. Might not be manageable if you have many keys though

loourr on May 27, 2015 | [–]

like 20+. That seems hard since you'd have to make sure the keys didn't show up in any of your logs.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact