I have a bitcoin account related site, server code is completely node.js.
Everybody will get a bitcoin address after registration. All the private keys are encrypted and stored in google drive using google-api-nodejs-client, the id and secret for OAuth2Client is in a config file.
What makes me uncomfortable is...
If someday my server is cracked by a hacker, of course he will get my server code and the then he will find out the OAuth2Client related information.
So what should I do to keep the private keys safe, even my server is cracked?
If the private keys are for users of your application and you do not need them while they are not logged I would recommend encrypting each uniquely with a passphrase from the user which you do not store anywhere.