Heroku的环境变量是存储敏感数据的安全方法吗? [英] Are Heroku's environmental variables a secure way to store sensitive data?
问题描述
我使用Heroku部署Rails应用程序.我将敏感数据(例如API密钥和密码)存储在Heroku的环境变量中,然后在利用各种API的rake任务中使用这些数据.
I use Heroku to deploy a Rails app. I store sensitive data such as API keys and passwords in Heroku's environment variables, and then use the data in rake tasks that utilize various APIs.
我只是想知道Heroku的环境变量有多安全?有什么方法可以散列这些变量,同时保留以某种方式在后台使用它们的功能?
I am just wondering how secure Heroku's environmental variables are? Is there a way to hash these variables while retaining the ability to use them in the background somehow?
I came across a previous thread here: Is it secure to store passwords as environment variables (rather than as plain text) in config files?.
但是当我仍然需要散列密码来执行重要的后台任务时,并不能完全覆盖实例.
But it doesn't quite cover instances when I still need to unhashed password to perform important background tasks.
推荐答案
几件事(主要是我的看法):
Several things (mostly my opinion):
-
1. API密钥!=密码
当您谈论API Keys时,您所谈论的是通常已经非常安全的公共令牌.如今,API的本质是它们需要某种先验身份验证(无论是在应用程序级别还是在用户级别),以创建更可靠的安全级别.
When you talk about API Keys, you're talking about a public token which is generally already very secure. The nature of API's nowadays is they need some sort of prior authentication (either at app or user level) to create a more robust level of security.
我首先要确保您要存储在ENV变量中的数据类型.如果它是纯密码(用于电子邮件等),则可以考虑将您的设置迁移到云提供商之一(SendGrid/Mandrill等),从而仅允许使用API密钥
I would firstly ensure what type of data you're storing in the ENV variables. If it's pure passwords (for email etc), perhaps consider migrating your setup to one of the cloud providers (SendGrid / Mandrill etc), allowing you to use only API keys
API密钥的优点在于可以更改它们,而又不影响基本帐户,并且可以将交互性限制在API约束范围内.密码会影响基本帐户
The beauty of API keys is they can be changed whilst not affecting the base account, as well as limiting interactivity to the constrains of the API. Passwords affect the base account
-
2. ENV变量是操作系统级别的
2. ENV Vars are OS-level
它们是进程在其中运行的操作环境的一部分. 例如,正在运行的进程可以查询TEMP的值 环境变量以发现合适的存储位置 临时文件,或HOME或USERPROFILE变量来查找 运行进程的用户拥有的目录结构.
They are part of the operating environment in which a process runs. For example, a running process can query the value of the TEMP environment variable to discover a suitable location to store temporary files, or the HOME or USERPROFILE variable to find the directory structure owned by the user running the process.
您必须记住,环境变量基本上意味着您将数据存储在要操作的environment中.一般是指"OS",但如果需要,也可以是OS的虚拟实例.
You must remember Environment Variables basically mean you store the data in the environment you're operating. The generally means the "OS", but can be the virtual instance of an OS too, if required.
最重要的是,您的ENV变量存在于服务器的核心中.与文本文件位于硬盘驱动器目录中的方式相同-环境变量位于操作系统的核心
The bottom line is your ENV vars are present in the core of your server. The same way as text files would be sitting in a directory on the hard drive - Environment Variables reside in the core of the OS
除非您没有受到服务器本身的黑客攻击,否则至少以编程方式获取ENV变量数据将非常困难,至少以我的经验而言是这样.
Unless you received a hack to the server itself, it would be very difficult to get the ENV variable data pro-grammatically, at least in my experience.
这篇关于Heroku的环境变量是存储敏感数据的安全方法吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
