Safely storing an application's API keys

Thiago Macieira thiago at kde.org
Mon Jan 18 15:57:54 GMT 2021


On Monday, 18 January 2021 03:21:30 PST Jean-Baptiste Mardelle wrote:
> Hi all,
> 
> For Kdenlive, we are planning to expand the use of online services to
> download ambiance music or videos for use in personal projects. To this
> purpose, most online services provide us an API key that is used to
> identify our app (Kdenlive) when querying their API.
> 
> Does anyone have experience / advice on how to protect these API keys so
> that they are not publicly available ? Is there any KDE online service or
> framework helping to achieve that ?

If you MUST do that, then the only secure place to store an API key is the 
TPM. That thing is protected by system security itself and gets disabled if 
the system doesn't pass its own security checks.

Which of course most Linux systems don't. Anyone who builds a custom kernel or 
disables secure booting will fail this.

You have the following options, which are complementary:
1) put an API key in the source code, which means public and visible to 
everyone

2) allow is not present) the user to create a new key and store it in the 
config file

#1 allows your software to run for everyone, regardless of how they build it. 
If it is missing, #2 becomes mandatory and your users will need to obtain a 
key of their own prior to the functionality becoming useful.

A compromise with the API providers is that the key from #1 can be a "low 
rate" one. That is, one that is limited in bandwidth or how many requests per 
second it is allowed to make. This happens for example to the rclone API key 
to use Microsoft One Drive.

Please reach out to the services in question and advise them that your 
software is open source and therefore cannot hide the key at all, and present 
these two possibilities.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel DPG Cloud Engineering





More information about the kde-devel mailing list