DEV Community

Davide Bellone
Davide Bellone

Posted on

How do you handle open source projects and private config keys?

I'm planning to release on my GitHub account some projects related to the articles I'm writing.

The problem is that for these projects I need some private key that I don't want to share on the web. What's the best strategy for you?

I was thinking to have a local config file with the real keys and put that file under gitignore. But If I do so, I'll not be able to get them if I need to work from another PC.

How have you overcome this problem?

Top comments (3)

Collapse
 
dbanty profile image
Dylan Anthony

Best practice is to never commit any sensitive data (e.g. keys) to any repo. Ignore the file like you said and store a copy somewhere safe (DropBox, OneDrive, iCloud, whatever you use).

Note that if you’ve ever committed a sensitive file to a repository it’s still stored in the repository history. You have to use something like bfg to clean out sensitive files before making the repo public.

Collapse
 
bellonedavide profile image
Davide Bellone • Edited

Luckily I have published only versions with <your-key-here> values.

So the best way is to ignore the config file, use it for local development and store a copy outside... Uhm, it looks cumbersome, but it makes sense

Collapse
 
podobaas profile image
Aleksey Podoba

Maybe you can use Azure Vault :) ?