Where to store sensitive data in public rails app?

by

TLDR: Use environment variables!

I think @Bryce’s comment offers an answer, which I’ll just flush out. It seems one approach Heroku recommends is to use environment variables to store sensitive information (API key strings, database passwords). So survey your code and see in which you have sensitive data. Then create environment variables (in your .bashrc file for example) that store the sensivite data values. For example for your database:

export MYAPP_DEV_DB_DATABASE=myapp_dev
export MYAPP_DEV_DB_USER=username
export MYAPP_DEV_DB_PW=secret

Now, in your local box, you just refer to the environment variables whenever you need the sensitive data. For example in database.yml :

development:
  adapter: mysql2
  encoding: utf8
  reconnect: false
  database: <%= ENV["MYAPP_DEV_DB_DATABASE"] %>
  pool: 5
  username: <%= ENV["MYAPP_DEV_DB_USER"] %>
  password: <%= ENV["MYAPP_DEV_DB_PW"] %>
  socket: /var/run/mysqld/mysqld.sock

I think database.yml gets parsed just at the app’s initialization or restart so this shouldn’t impact performance. So this would solve it for your local development and for making your repository public. Stripped of sensitive data, you can now use the same repository for the public as you do privately. It also solves the problem if you are on a VPS. Just ssh to it and set up the environment variables on your production host as you did in your development box.

Meanwhile, if your production setup involves a hands off deployment where you can’t ssh to the production server, like Heroku’s does, you need to look at how to remotely set up environment variables. For Heroku this is done with heroku config:add. So, per the same article, if you had S3 integrated into your app and you had the sensitive data coming in from the environment variables:

AWS::S3::Base.establish_connection!(
  :access_key_id     => ENV['S3_KEY'],
  :secret_access_key => ENV['S3_SECRET']
)

Just have Heroku create environment variables for it:

heroku config:add S3_KEY=8N022N81 S3_SECRET=9s83159d3+583493190

Another pro of this solution is that it’s language neutral, not just Rails. Works for any app since they can all acquire the environment variables.

More Related Contents:

  1. Is it secure to store passwords as environment variables (rather than as plain text) in config files?
  2. Setting Environment Variables in Rails 3 (Devise + Omniauth)
  3. Capistrano and environment variables
  4. Boolean Validation
  5. Convert url from https to http [closed]
  6. WARNING: Can’t verify CSRF token authenticity rails
  7. SSL Error When installing rubygems, Unable to pull data from ‘https://rubygems.org/
  8. Nested attributes unpermitted parameters
  9. What is the easiest way to duplicate an activerecord record?
  10. Rails 3.1 asset pipeline: how to load controller-specific scripts?
  11. rails – Devise – Handling – devise_error_messages
  12. How to solve error “Missing `secret_key_base` for ‘production’ environment” (Rails 4.1)
  13. How can I avoid running ActiveRecord callbacks?
  14. Rails 5: Load lib files in production
  15. How does instance_eval work and why does DHH hate it?
  16. test a file upload using rspec – rails
  17. How to query a model based on attribute of another model which belongs to the first model?
  18. Rails 4: assets not loading in production
  19. Overriding a module method from a gem in Rails
  20. Remove ActiveRecord in Rails 3
  21. Rails – Validate Presence Of Association?
  22. visit_Psych_Nodes_Alias: Unknown alias: default (Psych::BadAlias)
  23. Why does installing Ruby on Rails generate error “size of array ‘ruby_check_sizeof_voidp’ is negative”?
  24. JSON encoding wrongly escaped (Rails 3, Ruby 1.9.2)
  25. Protected and private methods in Rails
  26. How to use the I18n fallback features in Rails 3
  27. How do I avoid a race condition in my Rails app?
  28. Rails Model has_many with multiple foreign_keys
  29. Ruby 1.9.2 and Rails 3 cannot open rails console
  30. JWT token decoding even when the last character of the signature is changed

Leave a Comment