Major key alert02.18.16 · python
There are two big things that’ll get your hacker card pulled:
- Running as root
- Storing your API keys or passwords in git
When Linux first gained popularity on the desktop, RaR was rampant. Need proof? Look through some of the screenshots on Pretty Linux and focus on the console windows. It’s disconcerting.
Now obviously, you know better than make your passwords public, but not everybody gets why you need to secure your API keys. Here’s the deal: API keys are just as powerful as passwords and frequently are tied to credit cards / billing accounts. Once someone has your keys, they can ring up charges that you’ll be on the hook for & legally responsible for (think spam botnets, huge Twilio bills, slanderous Twitter posts, etc.)
And there are people out there scraping GitHub and BitBucket for API keys. It’s a real thing. So please don’t commit your keys to git.
But hey, apps need keys & passwords to function, so what are you going to do?
Scenario 1: web app
Let’s say you’re developing a web app on your computer. Your code is stored on GitHub, you use CI to run builds & tests, and you deploy to a remote PaaS like Heroku or OpenShift.
Most developers would store keys in an
.env file, add it to their .gitignore, copy that file to their remote server via ssh, and call it a day. I think this is an ok solution—but FYI, .env files are basically plaintext.
Scenario 2: local app
If you’re working with a local app / script that uses your personal login credentials for something (e.g. Gmail), you can still use an .env file, but why not take advantage of your machine’s keyring service? Linux, Windows, and OSX all have some version of this. (OSX encrypts passwords for an extra layer of security.)
# set a new password for my Netflix account
keyring.set_password("netflix", "[email protected]", "s3kr1t")
Or, you can set / retrieve credentials from the command line:
```bash $ keyring get netflix [email protected] s3kr1t
$ keyring del netflix [email protected]
# keyring will ask me to authenticate and any subsequent
get commands return null.
It’s small, it works, and it’s kind of like Lastpass for environment variables. Now stop running as root before I tell Twitter! 🔑🔑🔑