All Articles

API Keys Part II: Securing Keys in Environmental Variables

I would recommend you read this to understand the premise of this article.

If you are too lazy and just want the tl;dr, it is basically this: Don’t hardcode API Keys into code and upload to Github! This is a no-no and you will end up crying in a corner with an expensive bill that wasn’t your fault (entirely).

So now that you understand how much of a security compromise it is to hard-code in API Keys, what can you do?

STORE YOUR KEYS IN ENVIRONMENTAL VARIABLES!!!

In essence, you store your keys in environmental variables thus making them only available to the context of your program. It essential provides a level of indirection so that your code points to the place where the keys are actually stored.

What are environmental variables?

Wikipedia states “They are a set of dynamic named values that can affect the way running processes will behave on a computer.” In other words, let’s break that down a little more. So think of environmental variables in the same way, but applied to the context of your whole computer instead to a program on the computer. An environmental variable is to an operating system as a variable is to a program. There is more to it, but that’s the gist of it.

In this example, my example stack is Git + node.js + Heroku, but whatever your software stack, the methodologies applied here should still apply.

First lets create some environmental variables: Let’s start by creating a file with your environmental variable name and the actual value on each line. Let’s call this the key-value pair (make sure there are no spaces and notice how this is essentially a bash command). Save this file and let’s call this file ‘env.sh’ Below is my example env.sh file:

	export AWS_KEY=123456789
	export MONGODB_KEY=987654321

Go into your terminal and make sure this file is executable by the user by executing the command ‘chmod u+x env.sh’To insert these variables into the context of the shell environment, execute the command ‘source env.sh’

Bash

Now the environmental variables are in the context of the shell environment thus Node.js should be able to find it so let’s move onto working with Node.

Node.js

Node has the ability to read from environmental variables easily. In order to expose and use environmental variables in your node program, just refer to key name you put into the ‘env.sh’

//make sure to run 'source env.sh' or else keys will be undefined!
console.log('AWS KEY: ' + process.env.AWS_KEY);
console.log('MONGODB KEY: ' + process.env.MONGODB_KEY);

  
Git

Pretending that these two files represent the whole project, we obviously do not want to commit ‘env.sh’ and upload that to Github, so let’s remove that from all future commits. Do this by adding the file ‘env.sh’ to your .gitignore file. Now every time you add files and commit your changes, env.sh will be ignored.

AWESOME! You secured your keys so that they are now only local. But what if you are using say something like Heroku, it will not be able to find those environmental variables.

Heroku

You are absolutely right, but Heroku offers a convenient way to program in Environmental variables. Open up Heroku and go into Settings.

Under Config Variables, add in your Key-Value pair.

Herokus

That is all! An easy way to secure your credentials leveraging the use of environmental variables. The best part is you can show your whole code to the world and not worry about anyone stealing your precious API keys.

Source Code: https://gist.github.com/StevenTso/6ca8d090b82783dcb230

I’m @steventsooo on Twitter. I would love to hear what you think!

Published 7 Jun 2015