Storing secure keys on Ubuntu web server

Posted by Sencha on Server Fault See other posts from Server Fault or by Sencha
Published on 2012-11-29T18:19:48Z Indexed on 2012/12/13 17:05 UTC
Read the original article Hit count: 269

Filed under:
|
|
|
|

I'm running Ubuntu 12.04 Precise with a DUNG (Django, Unix, Nginx & Gunicorn) environment and my app (as well as various config files) is stored in a python virtual environment inside /srv, which the www-data user has access to.

The nginx & gunicorn processes are all run as www-data.

My web app requires secure credentials which I am storing in an environment.sh file. This file contains various exports and is run using source before the gunicorn processes execute.

My concern is the location of the environment.sh file and it's permissions. Will it be okay storing this file inside the /srv folder where the www-data has access to it? Or should it be stored and owned by root somewhere else such as /var/myapp/environment.sh?

Also, regarding the www-data user, if any of my web processes (which are run as www-data) are compromised and someone gains access to them, does that mean that the user could potentially read any file on the system, even if they can't write? Including my secure keys?

© Server Fault or respective owner

Related posts about ubuntu

Related posts about nginx