We have our web servers running in AWS EC2. We have about 30 API Keys/passwords/

Question

We have our web servers running in AWS EC2. We have about 30 API Keys/passwords/etc (sensitive data) which is set in the environment for our app to use. Whenever we deploy, we start a new server instance, pull down our repo and build our application. I need a way to get the keys down to the server to put into the environment for the application. Since we are deploying multiple times a week, this can't be a manual process. I also don't want to put the keys in our repository. Even if we encrypted a file with all our keys, we will still need a key to decrypt it on the other side. I have a solution in place, but whenever we need to add/change keys it's not very straight forward.

Can anyone think of a good way for me to get these keys into the environment? Thanks!

Explanation / Answer

Facing the same issue I ultimately decided to provide the crypto keys via an API, when an application asks for it.

This has several advantages and drawbacks:

- you rely on some kind of containment / limitation. In my case it was IP filetring which was optimal for the architecture we were in.
- there is the the risk of IP spoofing which needs to be weighted
- the API also allowed me to provide a centralized configuration (sent together with the keys upon request)

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.