I was wondering which is the best approach to store credentials like AWS ID and KEY. Is it ok to have them stored in KV storage as plain texts?


That would be OK but you can store encrypted versions of them on KV. In case of a compromise attacker needs access to both channels (KV data and worker source).


So the encryption key lives in KV as well right?


No. In this scenario encryption keys live in worker code so for someone to get access to keys both KV storage and worker code is needed. If a breach happens, it is less likely to happen to both.


I see what you mean. My the only concern is if I want to keep the code on Github it wouldn’t be nice to have the key in the repo.


Then keep the code on githhub and keys in worker. Then a small worker code which has the keys can load the code from github.

1 Like

Just to clarify, values in KV are automatically encrypted and only decrypted within the actual Worker process. It is up to you to decide what is secure enough for your application, but I would personally store secrets in KV without qualms.

closed #8

This topic was automatically closed after 30 days. New replies are no longer allowed.