Setting the API key as a global environment variable is probably not so safe #2
Comments
|
Thanks! I definitely see the value in keeping the API key somewhere other than an environment variable. Do you think Preferences.jl would be an appropriate solution? I haven't used it before but it looks like it's intended for this kind of thing. I'll give it a go. |
|
Yes or a config file would also help a bit. The best would probably be allow users to obscure their key like https://rclone.org/commands/rclone_obscure/, but I haven't seen people do that in Julia packages yet so I don't know how |
|
The Preferences.jl approach in #4 went pretty well! I do like the idea of obscuring the keys, but I haven't come across a good way to do that yet so I think I'll save that feature for a future PR. |
|
Using https://github.com/JuliaCrypto/Nettle.jl to encrypt the API key could be an excellent option. |
But where do you leave the key in a open source repository? Still, encrypting it with some key is better than nothing, I guess. |
|
Sorry, I do not fully follow. Why would one store the encrypted API key in an open-source repo rather than in their system? |
The idea of encryption is that only people who have the key can read the information. The problem is: Where would |
|
I see! I was imagining using a password per user to encrypt the key. |
Setting a global environment variable is okayish if you are in a protected environment such as a Docker image on a protected server, but probably not so great when it's a global variable available to the whole user system. Maybe a configuration file or starting Julia in a separate shell with the environment variable set would be better.
The text was updated successfully, but these errors were encountered: