Hey HN,<p>I will need to store some sensitive data (API keys, Client Secrets) of my customers in my DB. I was wondering if anyone could help me with these questions.<p>1. What are the best practices for storing client secrets and API keys in a DB?<p>2. Should the encryption be handled in the application level (using a library built on top of Node Crypto) or the database level (with pgcrypto)? What are the pros/cons of each option?<p>3. What are some good encryption libraries in Node.js (I want to avoid rolling my own crypto)?<p>4. At what frequency should I rotate keys? What are some methods to handle key rotation?<p>Thanks a lot!
Assuming you are using SQLite, an extension exists which will likely do the job: <a href="https://www.sqlite.org/see/doc/trunk/www/readme.wiki" rel="nofollow">https://www.sqlite.org/see/doc/trunk/www/readme.wiki</a><p>Other databases will also have encrypt/decrypt APIs available.<p>Specific answers to your questions will depend on your application and use cases (local network? global website? credit card data? health data? etc...).
Key management is the interesting part, although it's possible to screw up just in the crypto part as well. Encryption is just a way of substituting the trouble of keeping the key secret vs keeping the data secret.<p>You're going to match your key management to your threat model.<p>What are you going to do to keep the key safe in the scenarios of your threat model where an adversary can access the DB contents?
You want to look at acra which intercepts your postgres calls and adds encryption.<p><a href="https://github.com/cossacklabs/acra">https://github.com/cossacklabs/acra</a>
It depend on context, for which You asking.<p>If it to obey laws, this question of regulations of Your country;<p>for b2b market, each industry have their industry-wide typical use cases;<p>for internal use other consideration;<p>for box product other.