1

Does Digital Ocean have something similar to Credstash or AWS Secrets Manager (both AWS services)?

Trying to decide on the most secure way to store environmental variables with sensitive information (like database access codes, for example).

Locally, I have .env file that is named in my .gitignore to prevent it being version controlled.

If just in a .env file or environment variables, what’s the best way to keep that secure for the app to run appropriately?

Much appreciated :)

Cheers

ADDITIONAL INFO:

I have a fullstack SPA (MongoDB, Node, React, Express) on the digital ocean droplet.

Note: Mirror from Stackoverflow (recommended I post this here).

AleksanderCH
  • 731
  • 4
  • 11
  • 23
SethGoodluck
  • 111
  • 2
  • Depends. What is your threat model? – Conor Mancone Apr 16 '20 at 23:29
  • @ConorMancone depending on how deeply you want me to get into it: there is an external database that contains personally identifiable information about users. To access this database, you would need the credentials stored in the .env file and be calling from the IP address of the Linux server. – SethGoodluck Apr 17 '20 at 02:27
  • That's the resource you're trying to protect, so you're halfway there. But what is your threat model? Are you worried about people hacking into your server and finding it? Do you want to stop your own employees from having access to it? Are you worried about accidentally pushing it to a public github repo? – Conor Mancone Apr 17 '20 at 09:21
  • @ConorMancone: Thank you for the time!

    I'm not worried about it getting into source control (.gitignored and githooks to block that)

    I'm not worried about employees accessing it. Only a handful have rights to access the server.

    Therefore, mostly worried about the first option -- an external party compromising the server, accessing the credentials, and getting into the DB. Thoughts on how I wanted to protect the resource below

     – SethGoodluck Apr 17 '20 at 15:53

  • Someone in the other thread mentioned encrypting the .env file at rest.

  • I also intend to activate the droplet's firewall to only allow port 80.

  • I also use a GraphQL api so can restrict the allowable verbs to only Posts

  • I was considering restricting the allowable DB IP address to the server, so even if keys were compromised, the vector would have to come from my own server, which would slow things down.

    • – SethGoodluck Apr 17 '20 at 15:59
  • Since I'm not an InfoSec or DevOps engineer by training, I'm hoping to understand if these precautions are sufficient. Or if I'm missing something very obvious. I guess a part of me is nervous about having the application deployed to a public-facing server that contains the .env variables. Wanting to make sure those can't (easily) be taken and cause one of these all-to-common data breaches. – SethGoodluck Apr 17 '20 at 16:02