|
|
|
|
|
|
by eihli
2164 days ago
|
|
|
I came across a blogpost describing this workflow recently and I'm curious to hear HN opinions about it. Any pitfalls? https://matthewdowney.github.io/encrypting-keys-in-clojure-a... 1. Generate a new set of API keys. 2. Read my encrypted map of keys from disk, decrypt it with a passphrase, assoc in the new key & secret, encrypt it again, and write it to disk. 3. At the entry point for my application, use (.readPassword (System/console)) to securely read in the passphrase, and then use it to decrypt the key file and read it into a Clojure map. 4. Instead of passing the key map around (allowing it to potentially escape into a debug log, or be printed at the REPL if I do something dumb), the top level code of my application passes the credentials into a signer-factory for each api that closes over the credentials. ;; The factory is shaped something like this
(defn request-signer-factory
[{:keys [key secret]]
(fn [request-to-sign]
(sign-request request-to-sign key secret)))
;; Then an API endpoint looks like this
(defn place-order!
[signer {:keys [price qty side market post-only?]}]
(let [request (comment "Format the order data for the exchange")
signed (singer request)]
(do-http-request! signed)))
I like this workflow more than others which are centered around only encrypting credentials inside of your Git repository, and decrypting them when you clone / pull, because it means that not even on my development machine are keys just sitting around in plaintext. |
|
|