TLDR version of this article >>here<<
Often when working on a Rails app, you will have to handle vulnerable data.
Most often these are API keys to services that you integrate.
Most common examples:
- Github, Google, Twitter, Facebook oAuth
- AWS S3
- Stripe, Braintree etc
- Sendgrid, Mailchimp etc
Here you can see a
client_secret provided by Github, so that you can add "Log in with Github" functionality:
To use these keys, you could directly place them in your
devise.rb file like
config.omniauth :github, "23r32t34t4rg", "regregbesgbvtegc4g43g343"
However this approach creates a security threat.
For example, if your repository is ever open sourced or shared with third parties, anybody can misuse your API keys.
That can lead to your account:
- being banned (overuse quota with too many requests)
- charged (with your API keys anybody can upload too much data to your S3 account)
- you can experience a data leak (all your application attachements from S3 can be leaked)
That's why should use credentials to encrypt sensitive data.
An encrypted line in
devise.rb would look like:
config.omniauth :github, (Rails.application.credentials[Rails.env.to_sym][:github][:client]).to_s, (Rails.application.credentials[Rails.env.to_sym][:github][:secret]).to_s
So how do you make it work?
When you create a Rails 6 app, under app/config you have a file named
If you open the
credentials.yml.enc file, it will usually look like this:
It is encrypted and safe to share in a public repository.
To decrypt the
credentials.yml file, the
master.key file is used:
NEVER SHARE THE MASTER KEY WITH THE PUBLIC.
IF YOU LOSE THE MASTER KEY, YOU WILL NOT BE ABLE TO DECRYPT YOUR CREDENTIALS
master.key is not included into your git commits.
To decrypt and view or edit your
you can run
EDITOR=vim rails credentials:edit.
When decripted, the
credentials.yml file would typically looks somewhat like this:
To retrieve any data from
credentials.yml in your rails app or in the console, you can run something like
rails c Rails.application.credentials.dig(:aws, :access_key_id) #=> sdgb89dngfm6cg8jmbdb8f9bfg6n8fnd7bd9f Rails.application.credentials[:github][Rails.env.to_sym][:secret] #=> 6hl65knh4l5vgm8
Editing the file in VIM inside a terminal can a feel tricky and unnatural.
To edit the file, press
i. You will see
INSERT appear on the bottom of the file, prompting that you are currently able to edit the file:
When you're done, press
ESC. next press
ENTER to exit with saving.
ENTER to exit without saving.
Real-world example of config/credentials.yml:
awss3: access_key_id: YOUR_CODE_FOR_S3_STORAGE secret_access_key: YOUR_CODE_FOR_S3_STORAGE google_analytics: YOUR_CODE_FOR_GOOGLE_ANALYTICS recaptcha: site_key: YOUR_CODE_FOR_RECAPTCHA secret_key: YOUR_CODE_FOR_RECAPTCHA google_oauth2: client_id: YOUR_CODE_FOR_OAUTH client_secret: YOUR_CODE_FOR_OAUTH development: github: client: YOUR_CODE_FOR_OAUTH secret: YOUR_CODE_FOR_OAUTH stripe: publishable: YOUR_STRIPE_PUBLISHABLE secret: YOUR_STRIPE_SECRET production: github: client: YOUR_CODE_FOR_OAUTH secret: YOUR_CODE_FOR_OAUTH stripe: publishable: YOUR_STRIPE_PUBLISHABLE secret: YOUR_STRIPE_SECRET facebook: client: YOUR_CODE_FOR_OAUTH secret: YOUR_CODE_FOR_OAUTH
To set your master key in production (heroku example):
heroku config:set RAILS_MASTER_KEY=YOURMASTERKEY
heroku config:set RAILS_MASTER_KEY=`cat config/master.key`
That's it 🤠
Liked this article? Please follow me! It will really motivate me to post more fun stuff!