How do I securely store my p12 file in rails? My production web app will be in Heroku. The file is used to sign some documents dynamically.
Storing the p12 contents in an environment variable should be sufficiently secure on Heroku. This way it's at least not available in your code base or through your database.
You can setup Heroku environment variables like this:
heroku config:add P12_CONTENTS="$(cat /path/to/file.p12)"
Related
I am trying to store my stripe live key via Credentials as shown in the Securing Rails Application Guide: https://guides.rubyonrails.org/security.html#custom-credentials
I'm not sure what I'm doing wrong, the keys are written to the credentials file and in the test and development environments they work but when pushing to production I get errors that say my API Keys are not set. Here are what my credentials file and production config look like:
Credentials file ->
stripe_live: xxx.xxx.xxx
config/environments/production:
Stripe.api_key = Rails.application.credentials.stripe_live
I've also tried setting the keys with this command
rails credentials:edit --environment production and still no luck in the production environment.
How do I set rails credentials for the production environment? Do I need to set the RAILS_MASTER_KEY as an env variable in my production environemtn?
Set RAILS_MASTER_KEY to the string located within config/master.key . Rails automatically will use this value to decrypt your credentials file. A separate credentials file is optional, but if you do chose to use the separate credentials file you need to be sure that you use that key for the RAILS_MASTER_KEY env variable.
Until now I was handling my app secrets the usual way :
In development: my secrets are stored unencrypted in my secrets.yml file. The secrets.yml file is not commited to Github and
stays on my computer.
As per AWS reccomendations I have roles that allow me to have development specific keys. This allows to restrain my development keys to certain functions that have a different scope than production keys.
In production: My keys are stored on Heroku and called like ENV["AWS_SES_KEY"] inconfig/environments/production.rb.
I quite liked it because in case my computer is stolen, the development keys which then become corrupt can be erased at AWS without having to touch the production keys. And because the development keys can be limited to a certain scope of actions at AWS, it prevents any dangerous alterations (full bucket erasing ...)
Now we have credentials, if I am not mistaken, all keys (development and production) are inside the same encrypted file. The master key is the only environment key that is now seeded to Heroku. Though I still need this key locally to access the credentials. Then if my computer is stolen both development and production keys are corrupt and can generate a higher risk for my production app.
Is there something I am missing on the new credentials feature ? any way to avoid the above issue ?
What would be great is still using secrets.yml for dev keys and credentials.yml.enc for production keys, is it how it is intended ?
As the release notes for Rails 5.2.0 states, the future intent is to replace secrets.yml and secrets.yml.enc with credentials.yml.enc:
This will eventually replace Rails.application.secrets and the encrypted secrets introduced in Rails 5.1.
There's a very clear sense that credentials.yml.enc is meant to contain production credentials only because the Rails recommendation is to not have environment specific keys in it; i.e.,
# don't do this
development:
# ...
production:
# ...
As for the config/master.key "corruption" risk, I'm not sure how to answer that. The master key is only required when running in production mode. You can also store the master key in the RAILS_MASTER_KEY environment variable. In development, you'd only need the master key if you wanted to edit credentials.yml.enc.
I just integrated an encrypted shopping cart to my Rails(4.2) app for use with Paypal. Currently, my app reads the SSL cert & key files into constants which are then used during encryption. This works fine, but I'd prefer not to publish those files to github. The app uses the figaro gem to manage the environment variables in the application.yml file. Is there a way to incorporate the SSL certs into application.yml as environment variables instead of reading the files?
Thanks in advance,
Brendan
I am following this guide to get model attachments stored in S3. I am curious as to why the AWS key and secret and bucket name need to be stored in config/environments/production.rb AS WELL AS set using
heroku config:set AWS_ACCESS_KEY_ID=your_access_key_id
I thought it would be one or the other. For obvious reasons, I would rather not store the key and secret in a file in a repo.
I misread the steps. I now see that the production and development file are not supposed to contain the API Key and Secret. Just reference the environment variable.
I am trying to deploy a rails app to heroku, and I know that their file system is read only, and it only contains the latest code. I am using a git repository, via this guide. I have a config file, holding passwords and other stuff that I don't want to track on git, but I have to upload them to heroku. How can I accomplish that?
Rather than store the confidential info in the app files, set them up as environment variables on heroku using config vars
Ref: https://stackoverflow.com/a/7832040/429758