Safely storing an application's API keys
Thiago Macieira
thiago at kde.org
Mon Jan 18 15:57:54 GMT 2021
On Monday, 18 January 2021 03:21:30 PST Jean-Baptiste Mardelle wrote:
> Hi all,
>
> For Kdenlive, we are planning to expand the use of online services to
> download ambiance music or videos for use in personal projects. To this
> purpose, most online services provide us an API key that is used to
> identify our app (Kdenlive) when querying their API.
>
> Does anyone have experience / advice on how to protect these API keys so
> that they are not publicly available ? Is there any KDE online service or
> framework helping to achieve that ?
If you MUST do that, then the only secure place to store an API key is the
TPM. That thing is protected by system security itself and gets disabled if
the system doesn't pass its own security checks.
Which of course most Linux systems don't. Anyone who builds a custom kernel or
disables secure booting will fail this.
You have the following options, which are complementary:
1) put an API key in the source code, which means public and visible to
everyone
2) allow is not present) the user to create a new key and store it in the
config file
#1 allows your software to run for everyone, regardless of how they build it.
If it is missing, #2 becomes mandatory and your users will need to obtain a
key of their own prior to the functionality becoming useful.
A compromise with the API providers is that the key from #1 can be a "low
rate" one. That is, one that is limited in bandwidth or how many requests per
second it is allowed to make. This happens for example to the rclone API key
to use Microsoft One Drive.
Please reach out to the services in question and advise them that your
software is open source and therefore cannot hide the key at all, and present
these two possibilities.
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel DPG Cloud Engineering
More information about the kde-devel
mailing list