隐藏公共存储库中的密钥 [英] Hide secret key in public repository

问题描述

我正在开发一个开源的javascript应用程序我试图与第三方API（特别是github）进行交互。我试图只保留我的整个应用程序客户端，所以我真的不会有服务器回退或存储隐藏的文件。作为OAuth流程的一部分，我需要提供为我的api密钥提供的密钥。我不应该发布或分享这个密钥。

I am working on an open-source javascript application I am trying to interface with a third party API (github specifically). I am trying to keep my entire application client-side only, so I really won't have a server to fall back to or store hidden files on. As part of the OAuth process I need to provide the secret key provided for my api key. I am not supposed to publish or share this key.

我已经提出了以下解决方案：

I have come up with the following solution:

1. 使用三重DES和密码来加密密钥。


2. 将加密版本放在我的存储库中。


3. 当我需要通过Oauth进行身份验证时，提示输入密码并恢复密钥。


4. 一旦知道，将密钥存储在本地存储中以避免将来出现提示。

1. Encrypt the secret key using triple-DES and a passphrase.
2. Put the encrypted version in my repository somewhere.
3. When I need to authenticate via Oauth, prompt for the passphrase and recover the secret key.
4. Once known, store secret in local storage to avoid future prompts.

我实际上是存储了一个秘密密钥的转换版本。我猜这一切都是因为我必须从用户那里获取密码而不是完整密钥。它应该比随机字节更容易记住。

I am essentially storing a transformed version of th secret key. I guess all this buys me is that I must get the passphrase from the user instead of the full key. It should be a little easier to remember than random bytes.

这是否足够安全？它不是一个超级关键的应用程序，但我想尽我所能来保护我被告知不要分享的东西。是否有比3DES更好的方式以可逆的方式加密密钥？

Is this secure enough? It is not a super critical app, but I want to do my best to protect things that I am told not to share. Is there a better way than 3DES to encrypt the key in a reversible way?

推荐答案

此解决方案的问题是应用程序必须包含解密它的代码（可能还有密钥）。最好的解决方案是不要放入存储库。

The problem with this solution is that the application has to contain the code (and possibly the key) to decrypt it. The best solution is not to put in the repository at all.

大多数应用程序将此类数据存储在版本控制软件忽略的配置文件中。然后包含一个带有假密钥的示例配置文件以及如何重命名文件并获取自己的api密钥的说明。

Most applications store this type of data in a config file that's ignored by version control software. Then include an example config file with a fake key and instructions on how to rename the file and acquire an api key of their own.

这方面的一个很好的例子是< 认证唯一键和盐中的href =http://core.svn.wordpress.org/trunk/wp-config-sample.php =noreferrer> wordpress的配置文件。部分。

A good example of this is in wordpress's config file in the "Authentication Unique Keys and Salts." section.

这篇关于隐藏公共存储库中的密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！