Skip to main content

Non-encrypted confidential information - Base 64


To secure sensitive information like service credentials.


  • Usage of Elixir (1.12.0 and above) for building scalable and fault-tolerant applications
  • Usage of Phoenix Framework for web development
  • Usage of Ecto for database interactions


Non compliant code

defmodule MyApp.Config do
@db_username "c2VydmljZV91c2Vy"
@db_password "c2VydmljZV9wYXNzd29yZA=="

def get_db_credentials do
username = Base.decode64!(@db_username)
password = Base.decode64!(@db_password)
{username, password}

This code is vulnerable because it stores service credentials as Base64 encoded strings in the source code. While Base64 encoding might obscure the credentials at first glance, it is a reversible operation that does not provide any real security. Anyone with access to the code can easily decode the credentials.


  • Use environment variables to store service credentials.
  • Use a secure and encrypted key vault service to store sensitive data.
  • Purge sensitive data from version control history.

Compliant code

defmodule MyApp.Config do

def get_db_credentials do
username = System.get_env("DB_USERNAME")
password = System.get_env("DB_PASSWORD")
{username, password}

In this secure code example, environment variables are used to store the service credentials. This means that the credentials are no longer stored in the source code and can be managed securely outside the application, for example, through the settings of the hosting environment or using an encrypted key vault service.