Key Management
Is the Convex team working on any sort of key management service to separate storage of cryptographic keys/salts? Or any ideas on how to do that securely right now?
I'm storing API keys from external services and want to store the salted encrypted version of them for security
5 Replies
One quick thought (not sure if others have better ideas): what about storing the salt & key in environment variables, and store the encrypted contents in the DB? I'm assuming these values are generated statically and don't change often.
was thinking of going that route too
or connecting to AWS secrets manager
If you're connecting to an external service, the one hitch is that the interface exposed to queries & mutations is the database & environment variables. So you'd either need something reading from AWS and writing to tables (which is what I think you're trying to avoid to begin with?), or to do the encryption / decryption in an action, which can't be synchronously called from a query or mutation. So the most ergonomic choice I think is env variables. Sorry there isn't a deeper integration with secrets managers. We'll keep it in mind for the future.
@punn in a theoretical "secrets" or key management feature, would the difference between that and our current environment variables feature just be the level of encryption and access? Environment variables are currently stored in our database which is encrypted, but perhaps you're looking for us to store secrets in something more like Hashicorp Vault such that they're separately encrypted and not even readable from the dashboard once set, and are only available in your queries and mutations.
If that's something you (or anyone else) would find valuable, give this a ➕ and we will keep this in mind!
Exactly that! Thanks for considering it!
Gotcha sounds good I think we'll go with that for now since we won't need the advanced features of external services