Hi Ricardo, makes sense, thanks.
Would you then recommend to encrypt API keys?

Hi André,

Sorry for the late reply, but yes, of course I would.

You can use the pattern shown in Crypto API Demo where you generate a key, save it to a site property and encrypt the api keys with that key.

Hello António,

That is correct. SaveKey will encrypt the key being saved with the environment's private key.

This key is generated once per installation and is unique per environment in On-Premise environments and in the OutSystems Enterprise Cloud.

Hello Ricardo,

I'll use this post, as my question comes upon this implementation. I'm following exactly what you have in your demo app (as picture above by André). My question is, we still end-up with two "plain text" site properties within our module (ProtectedSiteProperty and SavedKey). My questions is, how is this better than just storing the key in plain text manually wihtout using the save key action? I belive there's extra security following your implementation, I'm just not fully understanding it.

Thanks for your help!

Ricardo Pedroso

Hi,

The example above is taking care of 2 things and that is why you end up with 2 site properties.

The first one, SavedKey, is used to safely store the result of the NewKey.
You generate a new private key and then encrypt it so that it can be safely stored in site property to be used in the future.

The other one, ProtectedSiteProperty is the actual encrypted value of your site property you want to save.
This value is encrypted using the key that is stored on the SavedKey.

That is the reason you end up with 2 site properties. You don't need to store the SavedKey in a site property though.
You could use the same key to encrypt other site properties and values, however, the more you share the same key, the higher the risk once the key gets compromised.

Hope this helps,