Where should I store sensitive files on Heroku?

Question

There's probably an obvious answer to this question that I'm just not thinking of. I know that sensitive data such as secure credentials are best stored on a service like Heroku using environment variables via Heroku's CLI with heroku config:add. But what about sensitive files, such as certificates? Specifically I'm wondering what I should do with my certificate for Apple Push Notifications (APN).

I'm taking a stab at implementing this myself since the silence in response to this question leads me to believe there aren't a lot of great alternatives there (and Urban Airship looks too expensive). From taking a gander at APN on Rails, I see that they actually store certificates in the database. Does that make sense? Or would it make sense to actually store the content of the certificate in an environment variable (not sure if that's even possible)?

hey what did you do in the end? – bogardon Jul 07 '13 at 20:19 — bogardon, Jul 07 '13 at 20:19

score 7 · Answer 1 · edited May 23 '17 at 12:01

7

You can set the whole certificate in an environment variable.

See this answer: Multi-line config variables in Heroku

edited May 23 '17 at 12:01

Community

1
1

answered Feb 20 '14 at 10:43

Karlotcha Hoa

284
3
11

1

Please use the duplicated flag in the future once you gain enough reputation. – László Papp Feb 20 '14 at 11:03

score 3 · Answer 2 · answered Jul 08 '12 at 01:56

You might consider storing the cert in S3 which can be downloaded by each process at startup and stored in memory (or memcached/redis) for subsequent access.

If you're really feeling it you might consider creating your own buildpack which does the cert download at slug compile time and makes it available on the slug filesystem.

score 0 · Answer 3 · answered Aug 22 '17 at 07:11

0

For me the best solution was to encrypt the private keys in the certificate and store the password for decryption in Herokus environment variables.

answered Aug 22 '17 at 07:11

Karl Adler

15,780
10
70
88

score -1 · Answer 4 · edited Jun 20 '20 at 09:12

I suggest creating a separate repository that contains the certificates, that only your inner circle of developers have access to.

To do so locally:

git clone myproject myprojectwithcerts

cd myprojectwithcerts

git add heroku username@herokuapp.com/myproject

Then you can add your certs to the "myprojectwithcerts," commit them, then push to Heroku.

git push heroku master

When changes occur in myproject

git pull origin master

As long as only your inner circle of developers can access Heroku to push/pull, only they can access your sensitive files.

Where should I store sensitive files on Heroku?

4 Answers4

Linked