Blog

Filter posts by Category Or Tag of the Blog section!

Sensitive data protection in source code

Saturday, 24 July 2021

I recently had some concerns about the sensitive data protection in a project. Data such as the API key and API secret of an exchange which is totally sensitive and should be kept in the highest possible protection environment. There are lots of ways to protect such data. You can follow best practices such as using environment variables, configuration files, or secret management tools. Here are a few options:

 

1. Environment Variables: 

Store your API keys and secrets as environment variables in your server or development environment. Access these variables within your code. This approach keeps sensitive information out of your codebase and can be configured differently for various environments (development, staging, production).


 

var apiKey = Environment.GetEnvironmentVariable("BINANCE_API_KEY");

var apiSecret = Environment.GetEnvironmentVariable("BINANCE_API_SECRET");

 

2. Configuration Files: 

Store API keys and secrets in a separate configuration file (for example, JSON or YAML) that is not included in your version control system. Read the configuration file in your code. This method is useful for managing configuration options, including API keys.

{

    "BinanceApi": {

        "ApiKey": "YOUR_API_KEY",

        "ApiSecret": "YOUR_API_SECRET"

    }

}

 

Reading from JSON file:



 

IConfiguration configuration = new ConfigurationBuilder()

    .SetBasePath(Directory.GetCurrentDirectory())

    .AddJsonFile("appsettings.json")

    .Build();



var apiKey = configuration["BinanceApi:ApiKey"];

var apiSecret = configuration["BinanceApi:ApiSecret"];

 

3. Secret Management Tools:

The final method that I would prefer to the previous ones is to Utilize secret management tools like HashiCorp Vault, Azure Key Vault, or AWS Secrets Manager. These services provide a secure way to store and manage sensitive information. Your application can retrieve API keys and secrets securely from these services at runtime.

 

Example (Azure Key Vault in C#):



 

var secretClient = new SecretClient(vaultUri: new Uri("https://YOUR_KEY_VAULT.vault.azure.net/"), credential: new DefaultAzureCredential());

KeyVaultSecret apiKeySecret = secretClient.GetSecret("BinanceApiKey");

KeyVaultSecret apiSecretSecret = secretClient.GetSecret("BinanceApiSecret");



var apiKey = apiKeySecret.Value;

var apiSecret = apiSecretSecret.Value;

 

By using these methods, you can keep your API keys and secrets secure or any sensitive data separate from your source code, reducing the risk of exposure.

 

comments powered by Disqus