I just integrated an encrypted shopping cart to my Rails(4.2) app for use with Paypal. Currently, my app reads the SSL cert & key files into constants which are then used during encryption. This works fine, but I'd prefer not to publish those files to github. The app uses the figaro gem to manage the environment variables in the application.yml file. Is there a way to incorporate the SSL certs into application.yml as environment variables instead of reading the files?
Thanks in advance,
Brendan
Related
It says in the docs they recommend to use separate keys for development and production I have my site keys stored in .env
I have my site keys stored in .env
dotenv is only supposed to be used for development. It's a convenience for developers to be able to set environment variables. However, because it is a file on disk it loses the security advantages and configuration convenience of environment variables. It should not be checked into version control, and it should not be deployed to production.
For production, put your secrets in environment variables. Most cloud production environments include convenient interfaces to set environment variables for your deployments.
Alternatively, put your secrets in Rails encrypted credentials.
Just use different .env file on your server
Or create .env.production file. If you use dotenv gem, it has higher priority
https://github.com/bkeepers/dotenv#what-other-env-files-can-i-use
Of course both files must be git ignored
Or use rails credentials. In new rails (probably since 6.0) you can use different credentials in different environments
I am trying to store my stripe live key via Credentials as shown in the Securing Rails Application Guide: https://guides.rubyonrails.org/security.html#custom-credentials
I'm not sure what I'm doing wrong, the keys are written to the credentials file and in the test and development environments they work but when pushing to production I get errors that say my API Keys are not set. Here are what my credentials file and production config look like:
Credentials file ->
stripe_live: xxx.xxx.xxx
config/environments/production:
Stripe.api_key = Rails.application.credentials.stripe_live
I've also tried setting the keys with this command
rails credentials:edit --environment production and still no luck in the production environment.
How do I set rails credentials for the production environment? Do I need to set the RAILS_MASTER_KEY as an env variable in my production environemtn?
Set RAILS_MASTER_KEY to the string located within config/master.key . Rails automatically will use this value to decrypt your credentials file. A separate credentials file is optional, but if you do chose to use the separate credentials file you need to be sure that you use that key for the RAILS_MASTER_KEY env variable.
Is database.yml the right place to read the AWS keys from bashrc? database.yml sounds like a place only for database configs. Is there a more appropriate place where the AWS configs from bashrc could be read inside my Rails app?
Rails 5.2 onwards
Rails 5.2 has introduced the concept of encrypted credentials. Basically, from Rails 5.2 onwards, there is an encrypted credentials file that is generated on initializing the app in config/credentials.yml.enc. This file is encrypted, and hence, can be pushed to your source control tool. There is also a master.key file which is generated while initializing the app, which can be used to decrypt the credentials file, and make changes to it.
So, credentials for AWS could be added to it as:
aws:
access_key_id: 123
secret_access_key: 345
These keys could be accessed in your app as Rails.application.credentials.aws[:secret_access_key]. Other sensitive config, like credentials to other external services that are being used, can also be added to this config. Check out this blog by Marcelo Casiraghi for more details.
Pre Rails 5.2
There was no concept of a credentials system prior to Rails 5.2. There are a couple of ways in which you could try to come up with a solution to store your configuration.
A. You could create a YAML file for defining your config from scratch.
Create a file called my_config.yml and place it in the config folder. Path: config/my_config.yml
Add whatever configuration is required to the file, in YAML format (s described for AWS above)
Make changes in application.rb to load this file during initialization as follows:
APP_CONFIG = YAML.load(ERB.new(File.new(File.expand_path('../my_config.yml', __FILE__)).read).result)[Rails.env] rescue {}
Using this approach, you will then be able to use APP_CONFIG['aws']['access_key_id'] for the AWS configuration defined above. For this use case, it is strongly recommended to have separate configuration files for development and production environments. The production file should probably not be checked in to version control for security.
B. Another approach would be to use some gems for managing configurations like railsconfig/config
NOTE: To answer the bit about storing this configuration in database.yml, it is strongly recommended to not do so. database.yml is a configuration file for storing configuration related to databases. Separation of concerns really helps while scaling any application, and hence, it is recommended to place such configurations in a separate file, which can be independently maintained, without any reliance on the database config.
Absolutely. The standard place to configure things like AWS would be inside config/initializers. You can create a file in there called aws.rb.
app/
bin/
config/
|__ initializers/
|__ aws.rb
and inside this file you can configure your AWS setup using the environment variables from your bashr
Aws.config.update({
credentials: Aws::Credentials.new('your_access_key_id', 'your_secret_access_key')
})
Files inside this directory are executed on app start, so this configuration will be executed right when your app starts, before it starts handling requests.
It may also be useful to note that the AWS SDK for Ruby will automatically search for specific environment variables to configure itself with. If that's what you're using, and if you have the following environment variables set up in your bashrc
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
then you won't need any additional code in your Rails app to configure AWS. Check out more details here.
I am trying to use the gem webpush to create push notifications at my rails app.
At this part at tutorial he say:
"Use webpush to generate a VAPID key that has both a public_key and private_key attribute to be saved on the server side."
# One-time, on the server
vapid_key = Webpush.generate_key
# Save these in your application server settings
vapid_key.public_key
vapid_key.private_key
My doubt is: What exactly is "application server settings"? Where should I put these keys at my rails app?
Idealy it should be stored in environment variables (depends on the OS you use).
If you are using dotenv gem and find it conveniant to use dotenv in production you can store it in .env file.
To use a variable use ENV['NAME']
Also for this purpose you can use default rails config/secrets.yml file. To use a variable use Rails.application.secrets.name.
Also you can combine env variables with secrets.yml file like:
secrets.yml
...
key: ENV['NAME']
benefit: use variable independent of rails environment.
Notice: Neve share you credentials file to git or any public repo! If you need to share this file with other developers just send them copy with development keys.
Links:
dotenv
environment variables
secrets.yml
I wrote a gem to help with this now that Rails no longer supports secrets.yml.
REMINDER: you should never store a private key or any other secret variable in a file that is committed to your version control - use environment variables for that.
How do I securely store my p12 file in rails? My production web app will be in Heroku. The file is used to sign some documents dynamically.
Storing the p12 contents in an environment variable should be sufficiently secure on Heroku. This way it's at least not available in your code base or through your database.
You can setup Heroku environment variables like this:
heroku config:add P12_CONTENTS="$(cat /path/to/file.p12)"