How to secure env file in production environment

Hi guys

I am new in Golang and I would like your advice on how to secure variables defined in env file within a go application.

The idea is to have the API keys defined in an env text file such as:

#API credentials from a 3rd party site
CLIENT_ID=my_client_id
CLIENT_SECRET=my_client_secret

Then in my go file with godotenv package to read those credentials like so:

os.Getenv(“CLIENT_ID”),
os.Getenv(“CLIENT_SECRET”)

How can I avoid people from reading the .env file? Is env file the recommended way to deal with credentials in a production application? :thinking:

I’m interested to see other answers from people because I’ve never found a good solution.

As a non-security expert with little experience (and none in Go), this is what I’ll suggest:

  • Encrypt your passwords with crypto/aes or similar. I think this is a good example: https://golang.org/src/crypto/cipher/example_test.go#L18
  • Store the key and nonce in their own configuration file.
  • Store the encrypted passwords (and, optionally, usernames) in the “real” configuration file(s) with base64 encoding.
  • Make sure the access rights to the configuration files are locked down as much as possible.
2 Likes

Depend on the access control to the host that the program is running on
If this isn’t enough then the problem is with the host environment
If you are really so unsure about this then you have other problems such as information being read from system memory
In kubernetes world, this problem is solved with products such as Hashicorp Vault which replaces the “read an ENV variable” with a more secure method