Hi,
I’m in the middle of the rather painful task of converting our phoenix API to an app that accepts and serves HTML requests.
This is all working fine locally, my issue comes when setting the signing salt for the Plug.Session module. It gets set in MyApp.Endpoint and I’d like it to look like this:
plug(Plug.Session,
store: :cookie,
key: "myapp_key",
signing_salt: Application.compile_env(:myapp_web, MyAppWeb.Endpoint)[:secret_key_base],
key_length: 70,
log: :debug
)
While this works locally, when build and deployed, this value is obviously nil, which results in errors.
I guess the first question is, is hard coding the salt here a security issue?
And if so, how can I set the signing_salt after I’ve access to env vars?
Thanks in advance
Setting the signing_salt to the value of secret_key_base doesn’t make much sense in the first place.
The idea of a salt in a key derivation function (KDF) is to derive secondary secrets from a single master secret. This is necessary because it is not safe to use the same master key for multiple use-cases in different contexts. As long as you keep your master secret safe, the salts don’t have to be kept secret. If one of the derived secrets is compromised you can just change the salt to rotate it. As long as each individual salt is unique and is never reused in another context.
TL;DR: you can hardcode a signing_salt value at compile-time and commit it to your code repo, as long as you are ok with a code push should you ever have a need to rotate it. (But don’t set it to the current value of secret_key_base, obviously, as that should remain secret!).
3 Likes
I was trying to cut down on the env vars I was using by re-using the salt, but now appreciate that’s probably introducing a whole different security concern.
I’ll go with hardcoding a unique one, thanks for the advice 
