1

I have a global api key for authenticating the requests to my server's api.

So the api key has to be stored somewhere in my rails application or on the server.

After a quick search, most people seem to recommend to store your keys in a .yml file and load it in your application. They claim that this is safe because the .yml file is not checked to git/source control.

Obviously you should add the .yml file to the .gitignore, otherwise it will be added git.

But If you do that, then how can the file be loaded after deployment(capistrano) if the .yml file isn't checked in to git and doesn't exist on the server?

Here is an example railscast that demonstrates storing the keys in .yml files:

http://railscasts.com/episodes/85-yaml-configuration-file?autoplay=true

user3494179
  • 263
  • 2
  • 3
  • 15
  • I know it's not what you asked, but in production you can set your api key into an environment variable to avoid putting your file in production. – XavM Aug 30 '16 at 14:18
  • You mean manually adding the keys to env vars on the server? – user3494179 Aug 30 '16 at 14:20

2 Answers2

0

Capistrano will push your secrets.yml file directly in production without going through git

bundle exec cap production setup

  • Another solution is to put your keys into environment variables : For exemple it's really easy to do it on Heroku in cli as in web interface (I use this method)

  • Some talks say also to put your keys in a separate git repo with really restricted access. And the deploy script deploys from both repositories

  • You can also create a symlink between your key file and real key file (in app_folder/shared/key.yml). As described in this post

Community
  • 1
  • 1
XavM
  • 863
  • 9
  • 22
0

Using ENV vars is the most robust, cross-platform and secure method to handle configuration and secrets.

  • No risk of accidentally committing secrets to source control.
  • No risk of accidentally uploading the wrong config to production.
  • Changing configuration can be done without redeploying the application.
  • Each developer, server cluster, etc can have its own configuration.

https://12factor.net/config

max
  • 96,212
  • 14
  • 104
  • 165
  • How exactly to setup ENV vars in your production environment varies greatly depending on the infrastructure used. – max Aug 30 '16 at 18:25
  • People who have access to your server can see the keys in plain text? Why is this better than just storing the api key in database? – user3494179 Aug 31 '16 at 07:29
  • An attacker that has access to your server has owned you totally anyways. Placing the keys in the db just makes your app slower – max Aug 31 '16 at 08:36