How are people storing user-scale secrets?

Question

Like when you capture an oauth key, or some other 'password-like thing' that you need to store per-user and need to retrieve in plaintext so you can access an external service. Are you just putting this in a DB? AES-ing it?My goal is to not leak oauth access when my DB inevitably gets stolen.

cloudking · Accepted Answer

Auth0 has some good articles on this https://auth0.com/blog/refresh-tokens-what-are-they-and-when... https://auth0.com/docs/best-practices/token-best-practices https://auth0.com/docs/security/data-security/token-storage

TechBro8615 · Answer

First ask yourself if you need to store it at all. Can the client store it as a cookie that you forward only when necessary?

FastEatSlow · Answer

You can encrypt it in the database, but my preference is to just reset the tokens if and when the DB is stolen. If they've managed to steal it, solid chance they'll be able to decrypt it from the running db process or sniff through other infrastructure.

wizwit999 · Answer

Like others said, try to make it's so you do not have to store anything. Otherwise, AWS has Secrets Manager for example but thatll probably be expensive for user scale in which case you can encrypt and store in DB.

eigengrau5150 · Answer

In a notebook that I keep in a fireproof safe.