1

I have a specific use case in my application to store users 3rd party API Keys to retrieve data from those 3rd parties. It is a web application and I am using express as well as MongoDB for the database.

Is there a specific way to best secure it (I need to access the actual key multiple times after it's stored). Or should I not be storing these at all?

If not, what solutions do you have to get around this problem?

Rocksmash
  • 93
  • 1
  • 8

1 Answers1

0

If you're storing the keys in MongoDB, this might be a good use case for Client-Side Field Level Encryption introduced in MongoDB 4.2.

From the page:

Applications can encrypt fields in documents prior to transmitting data over the wire to the server. Only applications with access to the correct encryption keys can decrypt and read the protected data. Deleting an encryption key renders all data encrypted using that key as permanently unreadable.

See Client-Side Field Level Encryption Guide for an example use case.

Note that some of the nicer features of Field Level Encryption such as automatic encryption of fields so the encrypted field can be transparently used by the drivers are MongoDB Enterprise Edition feature and not the Community Edition feature. However, MongoDB Atlas uses the Enterprise Edition as standard.

kevinadi
  • 13,365
  • 3
  • 33
  • 49
  • Thanks for the response! Will this prevent developers from being able to see the API Keys of our users if using the mentioned AWS Key Management System? – Rocksmash Jan 08 '20 at 23:34
  • I assume anyone that has access to the key (KMS) would be able to decrypt them. If your database is compromised, the data would be unreadable. If a rogue dev copied the database, it will be unreadable as well since they won't have access to the key. – kevinadi Jan 08 '20 at 23:43
  • Thank you for the clarification! I guess it's now in the user's hand to trust the company and head developers to not go in and read the data. – Rocksmash Jan 08 '20 at 23:50
  • I'm not sure I follow. Are you not developing the app yourself? – kevinadi Jan 09 '20 at 00:01
  • Yes I am, just a comment saying that since the head developer (me) can access the actual values in the database, the users will have to trust that the data is secure and I am not accessing it for non programatic purposes. – Rocksmash Jan 09 '20 at 00:14
  • I see. That is an entirely different discussion, I guess. At some point, the data would need to be readable by someone. Typically companies sign contracts that stated that if they broke this trust, there are consequences that the clients can pursue against them. But again, this is a separate discussion not related to the technology at hand. – kevinadi Jan 09 '20 at 00:17
  • Understood, thank you for the answer and links to the guides :) – Rocksmash Jan 09 '20 at 00:45