tags:

views:

114

answers:

3
+2  Q: 

How do I protect my private keys when using github, heroku, and developing locally?

Currently, I put the keys I use to access other API's and the like in the environment.rb file. That way it is available both when I run locally, and also on heroku.

However, I'd like to start to make my code available publicly via github so i can get some help.

What are the steps I need to do to make this happen, particularly so that I can test locally and test on heroku.

It seems like there's a way on heroku to add the keys from a command line, so they don't need to reside in the ruby-on-rails app. But what about for local development?

+1  A: 

Move them to an initializer and add the file to .gitignore

EDIT:

There is a directory in config called initializers. This is where you place code that is supposed to run once when your application starts. In the past, environment.rb was used for these settings, but initializers keep things better organized. I would create a file in the initializers directory called "load_keys.rb" or something like that. In this file, you would put the exact code that was in your environment.rb file that you don't want in github.

Beerlington  2010-09-16 23:43:06
hi, sorry, what do you mean by move to an initiailizer?
Angela  2010-09-17 05:37:53
No prob, I updated my original post with more info about initializers. I'm assuming you know what .gitignore is since you didn't ask.
Beerlington  2010-09-17 12:00:49
yes, thanks, I'm familiar with .gitignore :) I am familiar with the directory but wasn't sure what to do with it....
Angela  2010-09-17 23:51:42
okay I think I get it...so the sequence would probably be: 1) change all the keys (these have been added to the git repository history so if I put it into github all that history would be there as well, no?; 2) move the key assignments to this separate file load_keys.rb, 3) add it to the .gitignore file?
Angela  2010-09-17 23:52:28
oh, and then manually add the keys to heroku?
Angela  2010-09-17 23:53:57
That sounds about right. Here's some more info if you want to remove the keys from your repo's history http://help.github.com/removing-sensitive-data/
Beerlington  2010-09-18 01:01:34
A: 
  1. Put your private keys in ~/.ssh as usual.
  2. Encrypt your private keys with a passphrase.
  3. Install keychain.
  4. Add eval $(keychain private-key-file1 private-key-file2 private-key-file3; source ~/.keychain/${HOSTNAME}-sh) to your ~/.bashrc, ~/.profile, ~/.bash_profile or what have you. (See the keychain man page for csh, tcsh, zsh, or whatever)
Matt Kane  2010-09-16 23:43:18
+1  A: 

You can use environment variables (config vars on heroku) to store your API keys and not check them into source.

For a project that I am working on, I use a fork of twitter-auth, and changed it to read the client secret and key from env variables:

http://github.com/dpmcnevin/twitter-auth/blob/ace5d60a8ed8121cca4c97ef30a0cd025b99bfe1/lib/twitter_auth.rb#L68

OAuth::Consumer.new(
  ENV['oauth_consumer_key'] || config['oauth_consumer_key'],          
  ENV['oauth_consumer_secret'] || config['oauth_consumer_secret'],
  options 
)

I then set up the keys in my .rvmrc in the project directory for local use:

export oauth_consumer_key=xxxxxxxxxxxx
export oauth_consumer_secret=xxxxxxxxxxxxxxxxxxx
rvm ree@redactify

And finally set up the environment variables on heroku:

$ heroku config:add oauth_consumer_key=xxxxxxxxxxxxx
$ heroku config:add oauth_consumer_secret=xxxxxxxxxxxxx
$ heroku config
DATABASE_URL          => postgres://.....
RACK_ENV              => production
oauth_consumer_key    => xxxxxxxxxxxxxxxx
oauth_consumer_secret => xxxxxxxxxxxxxxxxxxx

Then just make sure that your .rvmrc is in the .gitignore and then you can push to github without exposing any API keys.

Dan McNevin  2010-09-17 00:16:46

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.