We do not store secrets or api keys as-is in the database instead
we use a form of secret management system, we currently support a few
which will be listed before. Our source code is 100% public and you can view
the implementations on Github.
We also deploy the exact version on Github to our prod servers without any modification
whatsoever. Our deployment can be found on github too
There currently isn’t a migration process from one provider to another but it
is something we might explore in the future. Which is also why we have chosen
to support only the most reliable and popular managers
AES
We highly recommend this as it does not require you to set up another infra
While this is not a secret manager, aes-gcm encrypts your data before being stored in the database.
MALAK_SECRETS_PROVIDER=aes_gcm
MALAK_SECRETS_AES_KEY=ujffjkfk
aes_gcm key with LC_ALL=C tr -dc 'A-Za-z0-9' </dev/urandom | head -c 32; echo
Hashicorp Vault
MALAK_SECRETS_PROVIDER=vault
MALAK_SECRETS_VAULT_ADDRESS=ujffjkfk
MALAK_SECRETS_VAULT_TOKEN=ujffjkfk
MALAK_SECRETS_VAULT_PATH=ujffjkfk
Infisical
MALAK_SECRETS_PROVIDER=infisical
MALAK_SECRETS_INFISICAL_CLIENT_ID=ujffjkfk
MALAK_SECRETS_INFISICAL_CLIENT_SECRET=ujffjkfk
MALAK_SECRETS_INFISICAL_SITE_URL=ujffjkfk
MALAK_SECRETS_INFISICAL_ENVIRONMENT=ujffjkfk
AWS Secrets Manager
MALAK_SECRETS_PROVIDER=secrets_manager
MALAK_SECRETS_SECRETS_MANAGER_REGION=eu-west-2
MALAK_SECRETS_SECRETS_MANAGER_ACCESS_KEY=jgkjfk
MALAK_SECRETS_SECRETS_MANAGER_ACCESS_SECRET=jgkjfk
MALAK_SECRETS_SECRETS_MANAGER_ENDPOINT=eu-west-2