Skip to content

Instantly share code, notes, and snippets.

@ndelage

ndelage/secret_keys_open_source.md

Last active December 25, 2015 19:09
Show Gist options
  • Save ndelage/7026164 to your computer and use it in GitHub Desktop.
Save ndelage/7026164 to your computer and use it in GitHub Desktop.
Download ZIP
Managing Secret Data in Open Source Applications
Raw
secret_keys_open_source.md

Managing Secret Data in Open source Applications

If you're working on an open source project, committing API keys or secrets to your repo is a big no-no. You wouldn't want anyone else making request with your keys, right?

So instead of putting those keys in app/config/initializers set then as environment variables in your shell. Here's an example for a Facebook API key:

export FB_API_KEY=3629346238763284623874623

Then in your app, load the variable via your environment:

Facebook::Api::KEY = ENV['FB_API_KEY']

All environment variables are available via the constant ENV. You can see all the currently set environment variables in your shell by running the command env:

$ env
SHELL=/opt/boxen/homebrew/bin/zsh
HOME=/Users/nate
USER=nate
LOGNAME=nate
DISPLAY=/tmp/launch-GHgzYV/org.macosforge.xquartz:0
COMMAND_MODE=unix2003
__CF_USER_TEXT_ENCODING=0x1F5:0:0
TERM_PROGRAM=iTerm.app
COLORFGBG=7;0
LANG=en_US.UTF-8
ITERM_PROFILE=Default
TERM=xterm-color
FB_API_KEY=3629346238763284623874623

Improved Local Setup

Remembering to set a collection of environment variables locally can be a real pain. What if you open a new shell? Time to set each variable again! Ain't nobody got time for that!

dotenv to the rescue

dotenv is a great Ruby gem that automatically loads in keys & values from a yaml file, making them available via the ENV hash we used earlier. With dotenv, you'll set all of your config in a file .env. Don't commit this file (add it to your .gitignore).

Server side setup

The traditional way

On the server, you'll need to repeat the same process, setting the necessary environment variables. You might decide to edit the .bash_profile or .bashrc for the user that runs your app.

The Heroku way

Heroku doesn't give you access to a shell, but they do provide a mechanism for setting environment variables:

heroku config:set FB_API_KEY=3629346238763284623874623

You can see all the environment variables currently set for your app by running heroku config

$ heroku config

FB_API_KEY: 3629346238763284623874623

See the following article for more details on setting and managing environment variables with Heroku Configuration and Config Vars

Removing Sensitive Data

If you've already committed sensitive data to your repo, here's a helpful article on how to remove it: Remove Sensitive Data

Be very careful with removing data from a Git repo. Work on a separate branch of course and have a peer review your commit before pushing/merging any changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment