保護DataHogo
Security Encyclopedia/Cryptography
highCWE-321A02:2021

Hardcoded Encryption Key

Embedding encryption keys as string literals in code means anyone with repo access can decrypt your data.

How It Works

When a key is hardcoded, it gets committed to version control. Even private repos get leaked, shared with contractors, or exposed via GitHub search. Rotating a hardcoded key requires a code deploy, not just a config change.

Vulnerable Code
// BAD: key is in source code and will end up in git history
const key = 'my-super-secret-key-32bytes!!';
const encrypted = crypto.createCipheriv('aes-256-gcm', key, iv);
Secure Code
// GOOD: key comes from environment, never from source code
const key = Buffer.from(process.env.ENCRYPTION_KEY!, 'hex');
const encrypted = crypto.createCipheriv('aes-256-gcm', key, iv);

Real-World Example

In 2023, a Toyota subsidiary exposed 296,000 customer records partly due to hardcoded credentials and keys left in a GitHub repo for nearly five years before being discovered.

How to Prevent It

  • Store all encryption keys in environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault)
  • Add pre-commit hooks or a secrets scanner (Gitleaks, Trufflehog) to catch keys before they're committed
  • Rotate any key that has ever been in source code — assume it's compromised
  • Use a minimum 256-bit key generated with a cryptographically secure random source

Affected Technologies

Node.jsPythonJava

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

ECB Mode

medium

Using ECB (Electronic Codebook) mode for encryption produces identical ciphertext blocks for identical plaintext blocks, revealing patterns in the encrypted data.

CWE-327A02:2021

Static IV/Nonce

high

Using a hardcoded or constant Initialization Vector (IV) or nonce for encryption defeats the purpose of the IV and allows attackers to detect patterns and decrypt data.

CWE-329A02:2021

Weak Key Size

medium

Using cryptographic keys shorter than recommended minimums (RSA less than 2048 bits, AES less than 128 bits) makes encryption vulnerable to brute-force attacks with modern hardware.

CWE-326A02:2021

Certificate Validation Disabled

critical

Disabling TLS certificate validation with NODE_TLS_REJECT_UNAUTHORIZED=0 or rejectUnauthorized: false allows man-in-the-middle attacks on all HTTPS connections.

CWE-295A07:2021