I'm looking for a trustworthy and free way to store API tokens and email passwords securely online, preferably accessible via an API. I'm currently working on a personal project that involves sending emails through an API and, because I haven't pushed my work to a remote repository yet, these sensitive items are hard-coded into my code. I'd like to find a way to keep them safe and accessible without compromising security. How do others manage similar situations in their personal projects?
4 Answers
If you're looking for an open-source and self-hosted option, check out Envie. It allows you to store your secrets encrypted in the cloud and access them just like regular environment variables during runtime.
I rely on a .env file for local testing. While deploying, it's common to use some kind of secrets manager, like a vault or a parameter store, to securely handle these passwords. Most of these services offer free tiers. You can inject secrets during build or runtime depending on your server's security. If your server is secure, you could use environment variables but that’s generally less secure than a dedicated secrets manager.
For my projects on Azure, I typically use Azure Key Vault for storing secrets securely. But for personal projects, I just go with Bitwarden; it's a straightforward option for keeping everything organized and safe.
Great point about git history! Even if you remove secrets in later commits, they can still be retrieved from the history. For just two secrets, I recommend saving them in a config file that doesn't get pushed to version control, or you might consider using environment variables when running your app. If you use a secrets management API, you'd just be trading multiple secrets for one that's the API key for that service.
That makes sense! But how can I avoid having a single point of failure? Is there a way to authenticate with a vaulting service that doesn't use a secret that could be exploited?