24

I am trying to push a brand new, empty Rail 3.0.4 project to GitHub, but just realize that the cookie session store has a secret key:

In config/initializers/secret_token.rb

NewRuby192Rails304Proj::Application.config.secret_token = '22e8...'

So how can we avoid it being push to GitHub? We can ignore this file (using .gitignore), but without this file, a Rails app won't run at all (and is not a complete Rails app). Or in general, other files or frameworks may have files containing secret keys too. In such case, how should it be handled when pushing to GitHub?

nonopolarity
  • 146,324
  • 131
  • 460
  • 740
  • 1
    You can use an external tool like: [git-secret](https://github.com/sobolevn/git-secret) or [blackbox](https://github.com/StackExchange/blackbox) to handle these files. – sobolevn Mar 10 '16 at 22:16

4 Answers4

24

Add in your repo:

  • a template of it (secret_token.rb.template),
  • a script able to generate a proper config file secret_token.rb based on local data found on the server (like an encrypted file with the secret value ready to be decoded and put in the secret_token.rb file)

From there, add a git attribute custom driver:

enter image description here

The script referenced above will be your 'smudge' script which will, on checkout of the working tree, generate automatically the right file.

Community
  • 1
  • 1
VonC
  • 1,262,500
  • 529
  • 4,410
  • 5,250
  • nice picture... you use some tool to generate it (from text?) – nonopolarity Feb 27 '11 at 10:26
  • 2
    @動靜能量: see http://progit.org/2009/07/28/the-gory-details.html: Scott Chacon used Omnigraff: http://www.omnigroup.com/products/omnigraffle/ – VonC Feb 27 '11 at 11:25
8

Put the secret key in some sort of external config file. Thats what we do.

Zachary K
  • 3,205
  • 1
  • 29
  • 36
  • 1
    Use "rake secret" to generate a new secret_token key if you need to. I found this useful because I'd already checked in the existing key into a public repo and wanted to replace the existing key when using an external config file. As the above suggestion, I've stored my key in an external file in the directory underneath the rails web root (but you could use any directory) - if you want to see my code then follow the link: https://github.com/richhollis/website/blob/672a14d170e8b7e4b9fcef1b809a8685224a3c65/config/initializers/secret_token.rb – RidingTheRails Mar 23 '12 at 17:38
2

There are several external tools, which do exactly that. Basically, these tools encrypt the file with your private data and store it in the VCS, but ignore the original unencrypted file.

One of the most known and trusted is blackbox. It uses gpg to encrypt your files and works with both git and hg. By the way, it is created by SO team. Have a look at the alternatives section, it has at least five other tools.

I can also recommend you a tool called git-secret, it also uses gpg. But it works only with git. The main advantage is that the workflow is much easier compared to other tools.

sobolevn
  • 16,714
  • 6
  • 62
  • 60
1

You could risk trusting Github's security/privacy if it is a private repository .. or:
- Pull the data from a configuration file on the server. For example, if you use Capistrano for deployment, you can add a step that copies the configuration file from somewhere on the server.
- Use an environment variable.

Allen Ding
  • 1,363
  • 10
  • 15