Re: Best way to secure external API keys?
This isn't possible to do. Why? Because for most systems you eventually have to send the API key over the network. if I want your API keys I'll just get out one of a various number of things that let me intercept network traffic and have it in all of 5 minutes. If the API key is rate limited such that overuse will get you banned, or pay per call like almost anything on the major cloud providers, don't distribute it to client machines.
Your solution is to write a server that sits between your software and the thing that your software wants to use, make users sign into that, and have it make the calls. Some systems will also provide per-user API key functionality (i.e. Twitter), which can make this easier because they're essentially providing the server instead of you.
Sometimes you don't have to send the API key in the request (i.e. Google Cloud serviceaccount signing) but you still have to store it somewhere on the system, and that's only going to be in one of so many places. This is called the trusted client problem, and is unsolvable in the general case. You might be able to look at using Intel TPM for it, but I don't think you can make I/O requests from inside the enclave, so all you'd be able to use it with is stuff that lets you sign requests before sending them. And, you may not have access to that from C#; I believe it requires writing custom assembly or getting a C/C++ compiler to spit out special binaries.
-- Audiogames-reflector mailing list Audiogames-reflector@sabahattin-gucukoglu.com https://sabahattin-gucukoglu.com/cgi-bin/mailman/listinfo/audiogames-reflector
