How do I protect my private keys when using github, heroku, and developing locally?

Question

Currently, I put the keys I use to access other API's and the like in the environment.rb file. That way it is available both when I run locally, and also on heroku.

However, I'd like to start to make my code available publicly via github so i can get some help.

What are the steps I need to do to make this happen, particularly so that I can test locally and test on heroku.

It seems like there's a way on heroku to add the keys from a command line, so they don't need to reside in the ruby-on-rails app. But what about for local development?

Answer 1

You can use environment variables (config vars on heroku) to store your API keys and not check them into source.

For a project that I am working on, I use a fork of twitter-auth, and changed it to read the client secret and key from env variables:

http://github.com/dpmcnevin/twitter-auth/blob/ace5d60a8ed8121cca4c97ef30a0cd025b99bfe1/lib/twitter_auth.rb#L68

OAuth::Consumer.new(
  ENV['oauth_consumer_key'] || config['oauth_consumer_key'],          
  ENV['oauth_consumer_secret'] || config['oauth_consumer_secret'],
  options 
)

I then set up the keys in my .rvmrc in the project directory for local use:

export oauth_consumer_key=xxxxxxxxxxxx
export oauth_consumer_secret=xxxxxxxxxxxxxxxxxxx
rvm ree@redactify

And finally set up the environment variables on heroku:

$ heroku config:add oauth_consumer_key=xxxxxxxxxxxxx
$ heroku config:add oauth_consumer_secret=xxxxxxxxxxxxx
$ heroku config
DATABASE_URL          => postgres://.....
RACK_ENV              => production
oauth_consumer_key    => xxxxxxxxxxxxxxxx
oauth_consumer_secret => xxxxxxxxxxxxxxxxxxx

Then just make sure that your .rvmrc is in the .gitignore and then you can push to github without exposing any API keys.