Where should I store sensitive files on Heroku?

Question

There's probably an obvious answer to this question that I'm just not thinking of. I know that sensitive data such as secure credentials are best stored on a service like Heroku using environment variables via Heroku's CLI with heroku config:add. But what about sensitive files, such as certificates? Specifically I'm wondering what I should do with my certificate for Apple Push Notifications (APN).

I'm taking a stab at implementing this myself since the silence in response to this question leads me to believe there aren't a lot of great alternatives there (and Urban Airship looks too expensive). From taking a gander at APN on Rails, I see that they actually store certificates in the database. Does that make sense? Or would it make sense to actually store the content of the certificate in an environment variable (not sure if that's even possible)?

Answer 1

You can set the whole certificate in an environment variable.

See this answer: Multi-line config variables in Heroku

Answer 2

You might consider storing the cert in S3 which can be downloaded by each process at startup and stored in memory (or memcached/redis) for subsequent access.

If you're really feeling it you might consider creating your own buildpack which does the cert download at slug compile time and makes it available on the slug filesystem.