Search code examples
databasebackendpassword-protection

Securely safe credentials in a web-backend


I am looking for a safe way to save credentials (like SSH credentials) in the backend of a Webserver (which would be Node.js in my case).

I already thought about hashing, but then you have to enter the password every time and it should work without entering the password again.


Solution

  • SSH

    For SSH credentials, I would recommend you Setup Passwordless SSH.

    On server you/the application will use to SSH into the target server

    Step 1: Generate a key pair

    $ ssh-keygen -t rsa # press enter on all prompts

    The above command will generate SSH RSA private and public keys under the user’s home directory, /root/.ssh/. The private key, id_rsa has to be kept secure on the node. The public key, id_rsa.pub should be copied over to the target server that want to be accessed passwordlessly.

    Step 2: Copy the SSH public key to the target server

    $ ssh-copy-id -i ~/.ssh/id_rsa <ip_address_of_the_target_server>

    The command ssh-copy-id will simply copy the public key from the source server and add it into the destination server’s authorized key list, default to ~/.ssh/autohorized_keys of the authenticated SSH user. If password authentication is disabled, then a manual copy is required. On application node, copy the content of SSH public key located at ~/.ssh/id_rsa.pub and paste it into ~/.ssh/authorized_keys of the target now.

    For more info on passwordless SSH check out this article: https://www.strongdm.com/blog/ssh-passwordless-login

    Other Credentials

    For other credentials, more secure approaches would be to use

    • Environment Variables: Use a library like dotenv to load them securely during runtime.

    • Secure Credential Management Services: Dedicated services like AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager.

    • Session-Based Tokens: Instead of storing raw credentials, utilize temporary session tokens for authentication.

    I hope all this helps.