Storing keys in your code without git adding the key

Question

Is there a good way people can think of to include api keys or other sensitive information in a codebase and not have GitHub add just the key? It would be nice if it could obscure 1 line of code, but I don't think such a method exists. My closest idea would be to have your code read your API key from a file, and then ignore that file in your code, and if the user runs it without the api key file it generates one or reminds them to create a file.

Comments

I have used the file method. Its probably the best method of obscuring api keys.

Answer 1

I agree with your approach of storing in file and then ignoring the file. Another idea which could be outside the scope of this class but you can have github inject the encrypted api key during run time of the code when it's deployed using Jenkins. That would be if you planning on publishing the code in production and having users. Jenkins is what many companies use to eject their credentials into github code.
https://plugins.jenkins.io/git/

Answer 2

A couple other options include:

• git-crypt - https://hackernoon.com/things-you-must-know-about-git-crypt-to-successfully-protect-your-secret-data-kyi3wi6

• git-secret - https://git-secret.io/

Answer 3

For instructions on how to do the separate file and .gitignore approach for React, see:

https://stackoverflow.com/questions/48699820/how-do-i-hide-api-key-in-create-react-app

Comments

"Unfortunately, keeping any key in your React client, even if you are using gitignore and an .env file, is not secure. As pointed out by @ClaudiuCreanga, React environment variables are embedded in the build and are publicly accessible." -Antonia Blair, StackOverFlow