Storing Sensitive Data in Environment Variables

Don't hardcode your password

thumbnail
Matheus Monteiro
Published Date1 Month Ago - 769 Views

When developing custom code or portlets, it's common to work with sensitive data like passwords, client secrets, or API keys. For example, when you're configuring OAuth2 to authorize a request in your code, you will need to provide an ID and a secret. A common pitfall is to hardcode this information directly into your codebase, which can lead to significant security vulnerabilities, especially if the code is shared on a version control platform like GitHub.

In this blog post, I’ll explain why it's essential to store sensitive data in environment variables rather than in plain text inside your code, and how you can achieve this effectively, particularly when working in a PaaS (Platform-as-a-Service) environment.

The Risk of Storing Sensitive Data in Code

Hardcoding sensitive data like client secrets or API keys directly in your code comes with several risks:

  • Visibility: If your repository is public or if multiple people have access to it, this data is exposed to anyone with access, whether or not they need it.
  • Version History: Even if you remove sensitive data from the code later, it might still be accessible in your version control system’s history.
  • Accidental Sharing: Team members might accidentally leak these secrets if they share code snippets that contain them.

Where to Store Sensitive Data Safely?

When working with Liferay DXP, especially in cloud environments such as Liferay PaaS, one of the best practices is to store sensitive data like secrets in environment variables. This approach keeps your sensitive information secure and separated from your code, while still making it accessible to your application when it runs.

Using Secrets in Liferay PaaS

In a PaaS environment, you can store sensitive information like client secrets securely by using Secrets . Here’s a step-by-step guide to show you how to do this in Liferay PaaS:

Step-by-Step Guide: Storing and Using Secrets in Liferay PaaS

  1. Create a Secret in Liferay PaaS

    • First, create a secret in your Liferay PaaS platform for the sensitive value you need (e.g., client secret or password).
    • This will ensure the secret is stored securely and can be accessed during runtime.
    • Our documentation can show you in details how to create Secrets.

  2. Reference the Secret in the LCP.json File

    • In your Liferay service’s LCP.json file, you can define an environment variable that will reference the value of the secret.

    Example:

    "MY_ENVIRONMENT_VARIABLE": "@my_secret"

    • Here, @my_secret references the secret you created, and MY_ENVIRONMENT_VARIABLE is the name of the environment variable you’ll use in your application.

  3. Pass the Environment Variable to Liferay’s JVM Options

    • To make the environment variable accessible to your Java application, you need to add it to the LIFERAY_JVM_OPTS configuration. This will pass the environment variable to the JVM that runs Liferay.

    Example:

    "LIFERAY_JVM_OPTS": ".... -Dmy_local_variable=${MY_ENVIRONMENT_VARIABLE}"

    • Important Notes:
      • The .... part means that if you already have something in LIFERAY_JVM_OPTS, you append this new configuration at the end.
      • The -D flag is required before the name of the local variable (my_local_variable), which makes the environment variable available in the Java context.

  4. Use the Local Variable in Your Java Code or Configuration File

    • Now that you’ve passed the variable into your Java environment, you can use it in your code or in your application's configuration files.

    Example in a properties file:

    my_coding_variable=${my_local_variable}

    • This way, the value of my_local_variable (which is the secret stored securely in the environment) can be accessed by your application, without ever exposing it directly in the code.

Why is This Approach Safer?

  • Secrets Management: By storing secrets in a dedicated secrets manager (in this case, Liferay PaaS), you ensure that sensitive data is stored securely, separate from your code.
  • Environment Isolation: Environment variables are isolated by the environment in which they run, meaning even if a developer has access to the code, they won't necessarily have access to the sensitive data unless they're in the correct environment.
  • Easier Updates: If the secret changes, you can update the environment variable or secret in the PaaS platform without having to modify the code.

Conclusion

Storing sensitive information like client secrets, passwords, or API keys directly in your code is a significant security risk. Using environment variables, especially in PaaS environments like Liferay Cloud, allows you to securely manage this information and ensures your code stays clean and safe from exposure.

By leveraging environment variables and secrets in your PaaS setup, you’ll be following best practices that not only secure your sensitive data but also make your application easier to maintain and update in the future. With just a few configuration changes, you can avoid the risks of hardcoding sensitive information and take advantage of the robust infrastructure provided by Liferay PaaS.

Comment (0)

More Blog Entries

thumbnail

Gogo Shell via Rest API

thumbnail
Jawad Azhar
10 Oct
0
thumbnail

JDK-17/JDK-21: Solving The Error module does not opens to unnamed module...

thumbnail
David H Nebinger
10 Oct
7
Blogs