Best place to store secret keys in Rails

60 views
Skip to first unread message

Ralph Shnelvar

unread,
Jul 17, 2017, 3:26:17 PM7/17/17
to Ruby on Rails: Talk
If my code will not be shared, and

My Rails app is on my own server, then

Does it make a difference if the secret keys are in environment variables or ~/config/secrets.yml ?

Ralph

Walter Lee Davis

unread,
Jul 17, 2017, 5:33:04 PM7/17/17
to rubyonra...@googlegroups.com
Probably not. But if the configuration comes from the environment, and the Apache/Nginx config are owned by a different user than the Rails app, then maybe there's a need for an attacker to get root or at least compromise two users in order to access the configuration. Seems weak as an argument to me. If someone owns your server, they own your server. These files need to be readable for other processes to read them.

I suspect that the larger issue under protection here is you uploading your code to Github/lab and then forgetting and making it public.

Walter

nynhex

unread,
Jul 17, 2017, 5:34:14 PM7/17/17
to rubyonra...@googlegroups.com
Sure, why not.  I store all my stuff in secrets.yml but best practice to not commit secrets.yml (or database.yml) to version control.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/cfcadfa2-1cf1-4295-a36d-dfe9cb7f8763%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Phil Edelbrock

unread,
Jul 18, 2017, 10:08:55 AM7/18/17
to rubyonra...@googlegroups.com
I would say, no, it doesn't matter. A couple other ways to do it is to store the secrets in your database (assuming your database is secure), or as environment variables.


Phil

Frederick Cheung

unread,
Jul 18, 2017, 10:13:02 AM7/18/17
to Ruby on Rails: Talk
At the point where they can run code on your servers it's game over anyway (for example attach gdb to running process and extract the value that way). More relevant are things like

- source control (as you note)
- your development machine gets stolen, compromised etc.

Personally I would also consider not having secrets there a protection against myself stops me accidentally running stuff in a development environment that ends up using the production version of some api.

Fred
 
Reply all
Reply to author
Forward
0 new messages