在公共存储库中隐藏密钥 [英] Hide secret key in public repository
问题描述
我正在开发一个开源 javascript 应用程序,我正在尝试与第三方 API(特别是 github)交互.我试图将我的整个应用程序仅保留在客户端,所以我真的没有服务器可以回退或存储隐藏文件.作为 OAuth 过程的一部分,我需要提供为我的 api 密钥提供的密钥.我不应该发布或共享此密钥.
I am working on an open-source javascript application I am trying to interface with a third party API (github specifically). I am trying to keep my entire application client-side only, so I really won't have a server to fall back to or store hidden files on. As part of the OAuth process I need to provide the secret key provided for my api key. I am not supposed to publish or share this key.
我想出了以下解决方案:
I have come up with the following solution:
- 使用三重 DES 和密码对密钥进行加密.
- 将加密版本放在我的存储库中的某个位置.
- 当我需要通过 Oauth 进行身份验证时,提示输入密码并恢复密钥.
- 一旦知道,将机密存储在本地存储中以避免将来出现提示.
我实际上是在存储密钥的转换版本.我想这一切都让我觉得我必须从用户那里获得密码而不是完整的密钥.应该比随机字节更容易记住.
I am essentially storing a transformed version of th secret key. I guess all this buys me is that I must get the passphrase from the user instead of the full key. It should be a little easier to remember than random bytes.
这样够安全吗?它不是一个超级关键的应用程序,但我想尽我所能保护我被告知不要分享的东西.有没有比 3DES 更好的方法来以可逆方式加密密钥?
Is this secure enough? It is not a super critical app, but I want to do my best to protect things that I am told not to share. Is there a better way than 3DES to encrypt the key in a reversible way?
推荐答案
此解决方案的问题在于应用程序必须包含用于解密的代码(可能还有密钥).最好的解决方案是根本不放入存储库.
The problem with this solution is that the application has to contain the code (and possibly the key) to decrypt it. The best solution is not to put in the repository at all.
大多数应用程序将此类数据存储在版本控制软件忽略的配置文件中.然后包含一个带有假密钥的示例配置文件以及有关如何重命名文件和获取自己的 api 密钥的说明.
Most applications store this type of data in a config file that's ignored by version control software. Then include an example config file with a fake key and instructions on how to rename the file and acquire an api key of their own.
一个很好的例子是 wordpress 的配置文件在身份验证唯一密钥和盐"中.部分.
A good example of this is in wordpress's config file in the "Authentication Unique Keys and Salts." section.
这篇关于在公共存储库中隐藏密钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
