Variables stored at rest

creichenbach_cb · May 28, 2019, 8:45pm

Hello,
I am working on some collections for my team and wondering how the environment variable session values are stored at rest. The documentation says to use variables for api-keys and passwords but are they encrypted and secure enough to store an api-key or password? Is there any way to keep secure values secure and encrypted?

priyalviroja · May 29, 2019, 9:33am

Hi @creichenbach_cb,

Environment and Global variables are AES-256-GCM encrypted at the application layer before storage. Postman also has a notion of Sessions in the >=6.2 release of Postman. For data which user does not want to be synced to Postman servers, we recommend using Session variables, which by default do not automatically sync.

This information is publicly available at https://www.getpostman.com/security

creichenbach_cb · May 29, 2019, 11:46am

Thank you,
I was not able to find that information on my on in the documentation. Just to confirm, “encrypted at the application layer”, means that session variables are encrypted on the local machine and the only time these are available is if the user who created them is logged in. Is there any way to hide the values in the UI from ‘over the shoulder’ viewers when using the editor?

priyalviroja · May 29, 2019, 12:23pm

@creichenbach_cb

Not on the local machine, To clarify, here “encrypted at the application layer” means - our cloud services encrypt them before storing them in our storage medium. We do not store environment and global variables in clear-text format.

Currently, we do not have any way to hide the values in the UI.

creichenbach_cb · May 30, 2019, 1:36pm

I find the wording “encrypted at the application layer” to be very misleading then. I and many others I have spoken to regarding this would expect the application layer to be between the presentation layer, Postman GUI, and the data layer, anywhere the variables are stored. Expecting customers to store passwords or any secure data in a non encrypted file, clear-text or not, is very insecure.
Are you aware of any future plans to start encrypting the session variable values and having an option to hide sensitive data values in the UI?

priyalviroja · May 31, 2019, 6:58am

@creichenbach_cb, We’ll review and make the required changes to our security page to reflect the sense of encryption approach we’ve used for environments and global variables.

And regarding environment value masking, feel free to create a feature request at https://github.com/postmanlabs/postman-app-support