Ask HN: What are the best practices for storing API keys?

7 points by loourr ↗ HN
If I have a web service which uses other 3rd party API and I want to store the keys securely, what are the best practices around that?

I've looked at vault (https://hashicorp.com/blog/vault.html) which seems ideal but still in production.

Also AWS's Key Management system (KMS)(https://aws.amazon.com/kms/) seems promising but only provides ways to store native AWS keys. Would I then create a database which held the keys encrypted using KMS keys and SQL access keys?

5 comments

[ 2855 ms ] story [ 3480 ms ] thread
about how many api keys are we talking? im using enviroment variables for the job. Might not be manageable if you have many keys though
like 20+. That seems hard since you'd have to make sure the keys didn't show up in any of your logs.
(comment deleted)