Securing API Key preference

[anandbn]

Due to our stringent security policies, Heroku's Security team has advised that we store the API key in encrypted format. We will need to find a way to "secure" the API key preference. Please provide details on what is possible and I can review it with the security team if the default mechanism works.

[tomsontom]

Here's a quick overview on the Eclipse Secure store. E.g. CVS infos, ... are stored in it. http://help.eclipse.org/helios/index.jsp?topic=%2Forg.eclipse.platform.doc.isv%2Fguide%2Fsecure_storage_dev.htm

[jamesward]

This is kinda silly because the decryption key / salt will have to also be on the same computer as the key so that the encrypted token can be used for API calls. So this is just security through a thin veil of obscurity. Plus the Heroku CLI stores it plain text.

[anandbn]

@jamesward - Encrpyting is a requirement in prep for our Safe Harbour certification so we don't have a choice. I looked at secure storage and looks like it can leverage OS level key chains by default.

The CLI will be implementing encryption based on my conversation with Tom Maher.

[jamesward]

Safe Harbor certification is good. :)

Mac and Linux have kay chains but what about Windows?

[anandbn]

I got confirmation from the security team and Eclipse Secure Storage is good for the security requirements.

@jamesward - http://help.eclipse.org/helios/index.jsp?topic=%2Forg.eclipse.platform.doc.user%2Freference%2Fref-securestorage-options.htm states that for Windows it uses a random key generated based of the Win Login password.

@tomsontom - Please fix the code to use secure storage and then close out the issue.

[jamesward]

Awesome! I'm glad this is easy to do!