Best practices for securely storing API keys

In the past, I’ve seen many people use Git repositories to store sensitive information related to their projects.

Lately, I’ve been seeing some people announce that they’re storing API keys on their private GitHub repositories. I’m writing this article because people should understand the risks of storing API keys with your code.

This article is not intended to be a permanent solution to the problems you might have with storing API keys. Instead, it’s my own analysis of the problem and my suggestions on how to fix it.

So, what exactly is the problem with storing sensitive information near your code on a Git repository?

Why you shouldn’t store API keys on Git repositories

Storing API Keys, or any other sensitive information, on a git repository is something to be avoided at all costs. Even if the repository is private, you should not see it as a safe place to store sensitive information.

(...)

So, where should API keys be stored?

There are many alternatives for securely storing API keys and secrets. Some of them let you use your Git repository and encrypt the sensitive data. Other tools are more sophisticated and decrypt sensitive information as part of a deploy workflow. Let’s look at some of the available solutions.

(...)

To get all the details, read the full, original article.