How to securely store JWT secrets/private keys on a NODEjs application ?
User only native nodejs methods or using a secret management service ?
Asked
Active
Viewed 913 times
1 Answers
1
First of all, you don't need to store JWT tokens as they are not meant for storing. You can always validate if you have a secret key available using the JWT library that is being used.
Now, when you generally host your services one way people use environment variables to access the secrets. However, they are visible to all who have access to the lambda/cloud functions or any specific services in the cloud.
process.env.VARIABLENAME
Secret managers are a great way to store your keys, password or anything that seems sensitive. We are extensively using them where ever we see the use of passwords, usernames, DB connection strings, etc.
Use only native nodejs methods
Not sure what native methods you meant here? You can use env file to keep things on servers, but it is only useful when you host them on servers, or containers(never used them on lambdas).
Apoorva Chikara
- 8,277
- 3
- 20
- 35
-
Hello, thanks for you answer, i meant to ask what is the most secure way to store my private keys that sign the jwt tokens... so people with access to code or environment wont be able to decrypt the data signed. ENV variables is a native method by dont think its secure enough. – madruga May 19 '22 at 15:48