Where should sensitive app internal information be stored

I am developing an backend in Elixir which is supposed to communicated with an android app that uses facebook login. For that to be secure I need somehow to securly store my facebookapp secret key in the server side (Phoenix app) probably encrypted. Do you know if there is a structure inheritly secure to the application so I can store my secret key there or what process did you used in similar situations.

Thanks in advance

You need the secret every time you verify a token with Facebook, so there’s no escaping having it in memory. (Encrypting it while it’s in memory would require a key that’s in memory to decrypt the secret, and so on.) Don’t stress too much about it: the overall system is designed to cope, including Facebook’s side of things. If anything goes wrong, they’ll disable your account until you fix the problem and get a new secret. Then, you’ll be back in business.

To reduce how often it goes wrong, be ruthless about avoiding leaving it anywhere else. Don’t commit it to your repository. Don’t let it get baked into the sys.config or vim.args in your build artifact when you mix release. Try not to keep it unencrypted on your machine.

For each deployment mechanism, there’s a way to store the secret encrypted nearby until launch and then shove it into a file or an environment variable just in time. Some systems let you fetch the secrets just after launch, e.g. HashiCorp Vault and AWS Parameter Store.

None of these mechanisms are perfect, but they’re good enough given the rest of the mitigations in the system.

Kamus sounds like a good solution, but seems directed to Kuberentes, maybe you can explore it to see if is possible to use outside Kubernetes.

An open source, GitOps, zero-trust secrets encryption and decryption solution for Kubernetes applications. Kamus enable users to easily encrypt secrets than can be decrypted only by the application running on Kubernetes. The encryption is done using strong encryption providers (currently supported: Azure KeyVault, Google Cloud KMS and AES). To learn more about Kamus, check out the blog post and slides.

Another option is the Hashicorp Vault that is a secrets management tool that centrally stores your secrets and allows them to be retrieved.

Centrally store, access, and distribute secrets like API keys, AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

to the application you mean the Phoenix App or the Android App?

I use this one for a variety of things, it works well.