dotenv is recommended to store local configuration with strict separation of config from code. However, it stores a private key as plain text in the .env
file.
Also, crypto module somehow needs to deal with plain text password.
Is there a way to store a password which can be deciphered with a system-dependent algorithm, so if the encrypted password is stolen, it would still requires to know the source system features?
As far as I know, no. Think of it this way, you need the text, in some way, to do some task. How do you normally keep text like this private? Hashing, however if it is a 1-way hash algorithm this is useless, as you dont want to validate the hash but rather gather the contents of said hash, if it is a hash and salt algorithm where you can retrieve the data, you are only adding extra steps for the perpetrator. Storing it in a .env
file is the safest route to go, make sure to add it to .gitignore
or your own vcs ignore file, optionally disable IDE local file tracking if its available.