BadRequest
Posts: 2
Joined: Fri May 28, 2021 6:45 pm

How to securely store API secret keys for a Python script looping every 5 minutes?

Fri May 28, 2021 7:16 pm

I would like to use a Python script on my Raspberry Pi to access an API (every five minutes, 24/7) that requires authentication (for good reason). I don't know much about IT security but I do know it's bad to store passwords/keys in plaintext on a machine connected to the Internet so my question is how am I supposed to put my secret API keys into my Python script so they're not readable to an intruder in plaintext? Thanks.

User avatar
richonguzman
Posts: 124
Joined: Fri Aug 28, 2020 4:38 pm
Location: Chile

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Mon May 31, 2021 6:00 pm

make python read the Token /code/password from a file

so the running python script wont have the password inside, but it could read from file so It would be just in memory/ram

PS: for extra security maybe run a 24/7 VPN from the raspberry to the server/machine you need to connect

Heater
Posts: 18359
Joined: Tue Jul 17, 2012 3:02 pm

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Mon May 31, 2021 8:12 pm

Certainly it's bad to have such keys hard coded into your program. It can happen that you then end up copying those keys to backups where people can find them, or accidentally giving away keys wen you share your code with others or even publishing them to the world when you keep your code in GitHub or some such repository.

So better to read the keys from a file.

Then you only have to be sure you secure your system against people reading the keys from those files.

This gets to be a hard problem...
Memory in C++ is a leaky abstraction .

BadRequest
Posts: 2
Joined: Fri May 28, 2021 6:45 pm

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Tue Jun 22, 2021 1:48 am

Thanks for the responses. So it's not possible to have them encrypted or something so an intruder would not be able to read them in plain text? I understand the idea of putting the keys in another file but since the script still has to reference the file, an intruder would know where to look for the keys, right*? I have no idea how likely that is to happen (I've done all the basic stuff to secure the Pi) but there could be some vulnerability in something. Maybe I should uninstall the browser since I don't need/use it?

*I presume no-one will be manually hacking me like in the movies but they might write a program that looks for things that look like API keys or whatever.
richonguzman wrote: PS: for extra security maybe run a 24/7 VPN from the raspberry to the server/machine you need to connect
I use a VPN on my Windows machine to access the Internet in general. I'm guessing you mean something else, like where a company provides VPN software/credentials for employees to use? I don't have any control over the server so I guess using a VPN might just hide the Pi's IP address and not give the kind of protection that I think you're talking about.

memjr
Posts: 142
Joined: Fri Aug 21, 2020 5:59 pm

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Tue Jun 22, 2021 3:52 am

The problem is you need to store the password. If you want to encrypt it, you need to decrypt it, and to do that, you need a password. So where do you store the password to decrypt the actual password. Well you can encrypt that password too. Chicken and then egg right?

So how about storing it in the files but not in plain text, but encoded? You could have python use one of the many way to encoded/decode the password. Problem is that if you know how to encoded, so does anyone trying to get your password if they get ahold of your code.

You could have the program ask you for the password when you start it. But if you need it to restart if it stops, you need to be there to type it in again.

You could have the program run by a service account, which means no one will be able to login as that account. Now you can save the password, encoded, in a file, that the program knows how to decode without a password. You then change the permission of that file so only the service account can read it.

This is still not full proof, but now the only ones that can read the password file (which is encoded) is that account itself that no one can login as, and anyone with root access or the ability to run su to switch to that account.

User avatar
richonguzman
Posts: 124
Joined: Fri Aug 28, 2020 4:38 pm
Location: Chile

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Tue Jun 22, 2021 2:10 pm

BadRequest wrote:
Tue Jun 22, 2021 1:48 am
I use a VPN on my Windows machine to access the Internet in general. I'm guessing you mean something else, like where a company provides VPN software/credentials for employees to use? I don't have any control over the server so I guess using a VPN might just hide the Pi's IP address and not give the kind of protection that I think you're talking about.
I use Wireguard and works awesome between mi Raspberry NAS with Openmediavault and my Macbook, iPhone and another traveling RP

User avatar
thagrol
Posts: 5246
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Tue Jun 22, 2021 3:11 pm

BadRequest wrote:
Fri May 28, 2021 7:16 pm
I would like to use a Python script on my Raspberry Pi to access an API (every five minutes, 24/7) that requires authentication (for good reason). I don't know much about IT security but I do know it's bad to store passwords/keys in plaintext on a machine connected to the Internet so my question is how am I supposed to put my secret API keys into my Python script so they're not readable to an intruder in plaintext? Thanks.
The reality is that you cannot prevent someone getting your API keys. You can just make it more hassle than it's worth. But doing so may take more effort than is worthwhile.

You have to decrypt them in order to use them. At that point they can be snooped from RAM. Or from your network traffic if unencrypted.

Python is a particularly poor choice of language too. Its programs are plain text files that are human readable with little knowledge. .pyc files are slighty better but those can be decompiled as can most other languages. Even if only decompiled back to assembler that's likely enough.

There's a reason the big boys use hardware dongles for software protection.

About the only other option you have is to publish where the local copy of the API keys are stored and make the end user generate their own then feed them to your app. This has the added advantage that if one user gets blocked by the API owner they don't get everyone blocked with them.
I'm a volunteer. Take me for granted or abuse my support and I will walk away

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

geektechstuff.com
Posts: 44
Joined: Sat Mar 02, 2019 8:08 pm
Contact: Website

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Tue Jun 29, 2021 10:19 pm

BadRequest wrote:
Fri May 28, 2021 7:16 pm
I would like to use a Python script on my Raspberry Pi to access an API (every five minutes, 24/7) that requires authentication (for good reason). I don't know much about IT security but I do know it's bad to store passwords/keys in plaintext on a machine connected to the Internet so my question is how am I supposed to put my secret API keys into my Python script so they're not readable to an intruder in plaintext? Thanks.
Could you store them in environment variables and have Python read them from the environment? Not sure it adds much in a security context though,
www.geektechstuff.com

memjr
Posts: 142
Joined: Fri Aug 21, 2020 5:59 pm

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Tue Jun 29, 2021 10:40 pm

geektechstuff.com wrote:
Tue Jun 29, 2021 10:19 pm
BadRequest wrote:
Fri May 28, 2021 7:16 pm
I would like to use a Python script on my Raspberry Pi to access an API (every five minutes, 24/7) that requires authentication (for good reason). I don't know much about IT security but I do know it's bad to store passwords/keys in plaintext on a machine connected to the Internet so my question is how am I supposed to put my secret API keys into my Python script so they're not readable to an intruder in plaintext? Thanks.
Could you store them in environment variables and have Python read them from the environment? Not sure it adds much in a security context though,
An environment variable does the same as a local file.

User avatar
thagrol
Posts: 5246
Joined: Fri Jan 13, 2012 4:41 pm
Location: Darkest Somerset, UK
Contact: Website

Re: How to securely store API secret keys for a Python script looping every 5 minutes?

Tue Jun 29, 2021 11:32 pm

geektechstuff.com wrote:
Tue Jun 29, 2021 10:19 pm
BadRequest wrote:
Fri May 28, 2021 7:16 pm
I would like to use a Python script on my Raspberry Pi to access an API (every five minutes, 24/7) that requires authentication (for good reason). I don't know much about IT security but I do know it's bad to store passwords/keys in plaintext on a machine connected to the Internet so my question is how am I supposed to put my secret API keys into my Python script so they're not readable to an intruder in plaintext? Thanks.
Could you store them in environment variables and have Python read them from the environment? Not sure it adds much in a security context though,
You could but...
  • How are you going to get it into the envirnment variable?
  • Environment variables don't survive across outside the shell they were set in (and any child shells).*
  • They certainly don't survive across boots.
  • Whose environment?
  • You still need to store the secret data somewhere permanenly. Or prompt the user for it on boot.
  • Environment variables are no more secure than any other method and possibly less so:

    Code: Select all

    ## find the PID of the process then:
    sudo cat /proc/<pid>/environ | tr '\0' '\n'
    
    You don't need sudo if the process is running under your user.
TL;DR more effort for no gain.
I'm a volunteer. Take me for granted or abuse my support and I will walk away

All advice given is based on my experience. it worked for me, it may not work for you.
Need help? https://github.com/thagrol/Guides

Return to “Python”