0

I'm creating an authorisation service, which does signing using a key.

For local development I was randomly generating a key on application start-up.

Now I'm deploying to the cloud (currently going with AWS), I'm refactoring this approach to be more robust / persistent.

The current idea I have is to generate some keys and dump these into environment variables - where the PRODUCTION private key would need to be handled with care / protected.

Because they'd be in environment variables, I'd use the PEM format.

At startup, I'd now load the keys from environment variables such as APPLICATION_SIGNING_KEY_PUBLIC/PRIVATE, parse the base-64 encoded bits and process the X509 thingy into Private/PublicKeys in memory.

Is this standard - or even acceptable? Are there any holes in this design?

asked Jul 6, 2021 at 20:48
2
  • 4
    Why not just use AWS Secrets Manager (or the equivalent in other clouds)? Commented Jul 6, 2021 at 21:50
  • @PhilipKendall Because I did not know it exists - that was the point of this question Commented Jul 7, 2021 at 16:24

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.