Let’s say I have an app that handles ordering bubble gum for clients. Each client has their own API credentials for the bubble gum supplier. I handle placing orders for more bubble gum by sending an order request using the client’s API keys. When I had one client I stored their API creds as an ENV and accessed them when making a requests to the bubble gum supplier that way. Now I have more than one client and I need to store all of their API credentials so I can use each client’s API keys accordingly to place orders via API requests.
What is the best way to store these with security in mind? Encrypt the keys then store in DB as
:string and decrypt before inserting the keys into the request? If so is there a recommended library for encryption? I’m using Postgres if that matters.
Encrypting is fine, though if you want what’s generally regarded as high security if it’s really that important then I use Consul by Hashicorp, it’s exceedingly powerful for holding encrypted data like access tokens. Encrypting in the database is “fine” but where you hold the decryption key really really matters (in which case something like consul is also great for holding the decryption key). The main important thing is to make it as hard as possible for someone to get that key and what it decrypts even if they have access to the server.
cloak_ecto is the library that you’re after.
Are you referring to Cloak.Ecto hexdocs? If so, I don’t think I just want it encrypted in the DB. My fear with that would be the Account info would be accidentally preloaded or otherwise pulled from the DB and thrown around the code base where not needed. So, i like the idea of having to intentionally decrypt the account info specifically when I am adding it to the api request, otherwise its always encrypted. So, I am looking at Cloak and wondering if that library is trusted.
I think that redacting the field would address your concerns.