Storing API Credentials Securely

Have more questions? Submit a request

DataGrail takes a multi-layered approach to securing API credentials to customers’ software systems. This article will explain what measures are taken to ensure security within the platform.


First, the production PostgreSQL database that DataGrail uses is encrypted using AES-256 encryption. DataGrail makes use of Amazon Web Service’s (AWS) Relational Database Service to perform this encryption. 


In addition, the API secrets to each SaaS system are individually encrypted at the field-level. The encryption keys are generated and stored within AWS Secrets Manager.


Finally, DataGrail’s front end servers that are exposed to users are only able to write API secrets, not retrieve them. The worker servers that access customer systems are granted the ability to decrypt API secrets but are not user-facing.


This design affords a number of security properties.


If DataGrail’s database were ever to be compromised, customer API secrets remain securely encrypted and indecipherable to attackers. Similarly, if an encryption key in AWS Secrets Manger were inadvertently exposed, it is of no value without access to the encrypted secret stored in DataGrail’s PostgreSQL database.


Our worker servers with access to decrypt API secrets are separated from the areas of our architecture that are exposed to user interaction and the internet, thus keeping API secrets safe.



Disclaimer: The information contained in this message does not constitute as legal advice. We would advise seeking professional counsel before acting on or interpreting any material.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful