Curtis

PostsComments

CCConvex Community

•Created by Curtis on 12/31/2024 in #support-community

Does Convex have recommended processes for securing secrets / a secret key management feature?

I'm a hobbyist starting a Convex projects. I haven't seen anything in the documentation that explicitly addresses how secrets should be managed in a Convex backend, although I do see an example "MY_SECRET" environment variable in the docs (https://docs.convex.dev/production/environment-variables) Are Environment Variables the recommended way to store sensitive secret values such as private keys? Are there ways to limit the scope of a secret to only be usable by certain actions / functions / etc? --- For some context, I'm thinking about the Convex Auth Password authentication. I like the elegance of using OpenID Connect configuration and publishing the public keys through a Convex HTTP handler. But if I am understanding this right, this requires a JWT_PRIVATE_KEY environment variable containing the private key, which will be ambiently available to all Convex backend code, which is a much riskier scope than just a few authorization APIs... Does Convex have on its roadmap some kind of Key-Management-System? It would be nice to be able to guarantee that encryption/signing keys cannot be exfiltrated, so that you could have relatively high confidence in the integrity of your keys, and it would also help with the DX of having to securely generate and then upload the sensitive key material

14 replies