Friday, June 20, 2014

Talk: Don't Commit Your Secrets

On Tuesday this week, I presented a talk to Montreal.rb on keeping your application secrets safe. Posted below is the video, slides and some follow-up questions during and after the presentation. Enjoy!




How can I remove a secret from your Git repository?
GitHub has an excellent post on how to do this: Remove sensitive data. However, if you have committed a secret to your repository which has been push to a remote, then consider that secret compromised. You will need to reset the secret (i.e. create a new API key) and configure your application using the techniques described above.

How can I keep my secrets safe with an application pre-Rails 4.1?
Check out these options:

  • foreman: recommended - any Rack app
  • dotenv: great for plain old Ruby Gems too
  • figaro: YAML
  • capistrano: linking to a configuration file in production

Please note this blog is no longer maintained. Please visit CivilCode Inc - Custom Software Development.