API keys and how to hide them


I am working on a privat project (marked as such) and i need to use some api key, which i should not just store as plane text in my code, i was told. I dont really get what is visible on what site and for whom. I would just assume it is safe to store it as plane text since the project is privat, but i wold like to be safe (and learn something), so how can i be sure that is not visible?

Using a turtorial, i created a new notebook1 containing my api key and i can import it in my other notebook2 and use it. But the turtorial stated that you need to make git ignore the notebook1. how can i do that?

you have been told correctly: you should NEVER EVER EVER store any kind of secret and/or sensible information in clear text in a git repository.

Even when the project/repository is private the administrators (such as myself, but not only) would always be able to see the secret.

If you access those keys frequently and want to make their access somewhat more convenient, I suggest to look into encryption tools, such as “pass” or “SOPS” which will encrypt those secrets for you and you will be able to temporarily decrypt them with a password.

It would be fine to store those secrets in your project once they are encrypted.


Let me add an example: in the Renku default containers openssl is installed and can be used to encrypt and decrypt files.

So for instance you could:

  1. Create a file called secret.sec
  2. add your API keys there
  3. encrypt the secret with openssl: openssl enc -aes-256-cbc -in secret.sec -out secret.enc
  4. make sure to add the extension *.sec to .gitignore to prevent checking in the clear text secret
  5. check in git the encrypted secret
  6. the next time you launch a session and want to use the secret decrypt it: openssl enc -d -aes-256-cbc -in secret.enc -out secret.sec

Hello @aledegano,

Thanks for the example.

Can you also suggest when should one ideally run the decryption command line (openssl enc -d -aes-256-cbc -in secret.enc -out secret.sec) during a Renku session deployment (from a post-init.sh, from the Jupyter terminal, etc.) ?

The decryption command requires entering the password, so I believe that is best done from within the terminal when the session is launched.

1 Like