Elegant (??) solution to database.yml passwords

database.yml.erb

# Since you already have ssh keypair on your deployment host, you may use it to decrypt 
# database credentials at load time.
#
# The solution can be tweaked a bit to decrypt with capistrano at deployment time.
# In case where the private key is passphrase protected this won't work but it's pretty straight forward to fix it.
#
# Hope it's a nice starting point for a more mature solution.
#
# --Yarin

<% 
class RSACrypt
  def self.decrypt(crypt, pk_file=nil)
    puts "Actually Works!"
    pk_file = "#{ENV['USER']}/.ssh/id_rsa" unless pk_file
    pk = OpenSSL::PKey::RSA.new File.read(pk_file)
    pk.private_decrypt(crypt)
  end
end
%>
production:
  adapter: postgresql
  database: dbprod
  username: <%= RSACrypt.decrypt("\x1A0\xEA\xB6!\x11\x14\xF0?4@\xDC!\x1ER\xAE\xF0 2\x93\x8Ft\x01\x8C>|\x82\xB8\xD3\xC9\\\xF0k\xEE\xB8?\xD2\x85\xD4\xAD\x15@]44\r\x8B\xFD\xF4\xC0~\xCCX\xED\x06b\b\x02\xE7\xCD\x80\x1E\xB2\x99\x84\xD9\x8B\x8E1\x90\x8E\xC9UL4K\xB2\xF8\xEB\xDA\xCF\xAB7\xA7\xF5\x90^\x16\xC3\xD9\xA6\xB9\xD6\t9U\xFE\x977\xFEEK,Y\x82\xD2\x1FPa\xF8\xE9\xE3\\%ZM\xA7\x95\x1C\x17\x9CMp\xF1\xE6S6\xF0\x1F\t\x11\xEF\x1A\xDA\x80\xEE\xFD0\xCD\x03\xC0nT\xFD\x17\xA4\x9A!p\xDF\x1E\xC5\x0F\xEB=\x0F#WNYn\xD4U+\x7Fu\x0EN\x1989\xC3\xF0\x93T/\x8F\x92\x82\xE9f\xA3\xEA\xE3\xF6\\\aWJ\xC7\xD9\xA5\x9Di\xF4.\x16t\xA2%\xC2\xF0\xD2\xD8*\x8Bi+\x13\x8A\xD2\x06o\x99\xF0U_MV\xDC\xAD$\t\x04\x95\x8B\xEE\xFB\x06\x10\x89\xD8f\x8B\xEA\x06\x8E\xE8\x02R\x06<6\x83\xCB_\xE9\xDB\xAC\x15\x91\x04\"d\xBC\xEA", "/etc/ssl/custom_pk") %>
  password: <%= RSACrypt.decrypt("another crypt here...", "/etc/ssl/custom_pk") %>