Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I open source my Rails' apps without giving away the app's secret keys and credentials

Tags:

I have a number of Rails apps hosted on GitHub. They are all currently private, and I often will deploy them from their GitHub repository. I'd like to be able to make some of them open source, just like the ones you can find on http://opensourcerails.com.

My question is: How can I make these repositories public without giving away super secret credentials?

For example, I can look in /config/initializers/cookie_verification_secret.rb and see the cookie secret for nearly every one of them. I don't understand how this is acceptable. Are these users all changing these values in their deploy environments somehow?

Some users even expose their AWS secret and key! Others will instead set their AWS secret to something like:

ENV['aws-secret'] 

although I'm not sure at what point they're setting that value.

So, what are the best practices for open sourcing your Rails app without compromising your app's security.

like image 661
ballgame Avatar asked Jul 08 '10 20:07

ballgame


People also ask

How do I decrypt credentials in rails?

The master key When you create a new rails app a file called credentials. yml. enc is added to the config directory. This file will be decrypted in a production environment using a key stored either on a RAILS_MASTER_KEY environment variable or a master.

How do you save credentials in rails?

Accessing and using credentials data in Rails Rails uses config/master. key or alternatively looks for the environment variable ENV[“RAILS_MASTER_KEY”] to encrypt the credentials file. Because the credentials file is encrypted, it can be stored in version control, as long as the master key is kept safe.

Where is rails application secrets?

Rails stores secrets in config/credentials. yml. enc, which is encrypted and cannot be edited directly.


1 Answers

I recently went through this with one of my own apps. My solution was to store anything secret in a git-ignored YAML config file, and then to access that file using a simple class in the initializers directory. The config file is stored in the 'shared' folder for the Capistrano deployment and copied to config at each deploy.

Config store: http://github.com/tsigo/jugglf/blob/master/config/initializers/juggernaut.rb

Example usage: https://github.com/tsigo/jugglf/blob/6b91baae72fbe4b1f7efa2759bb472541546f7cf/config/initializers/session_store.rb

You may also want to remove from source control all history of the file that used these secret values. Here's a guide for doing this in Git that I used: http://help.github.com/removing-sensitive-data/

like image 72
Robert Speicher Avatar answered Oct 10 '22 00:10

Robert Speicher