top | item 25060880

(no title)

camsjams | 5 years ago

Do you store your API keys and other sensitive data with a site that doesn't even have a page discussing their encryption or security practices? Their privacy policy mentions they secure data with SSL protocol...

Who has access to each client's database? Is it audited? Is it encrypted at rest? I'm sure it is, but Config.ly would be wise to add this information to avoid fears.

Also you can store encrypted secrets in Git just fine, there are a number of methods to do so very safely.

discuss

jeremyis|5 years ago

Thanks for the feedback. The goal right now is not to store sensitive data in Config.ly - your read API keys will be on your clients - and so in theory anyone who can read that source code can fetch your keys.

> Who has access to each client's database? Is it audited? Is it encrypted at rest? I'm sure it is, but Config.ly would be wise to add this information to avoid fears.

This is great feedback, thank you.

munro|5 years ago

Ohhh, that's such a great idea. I've done that before for TravisCI, now that I remember, it's really slick.

https://docs.travis-ci.com/user/environment-variables/#defin...