Reputation: 128307
Where should I store sensitive files on Heroku?
There's probably an obvious answer to this question that I'm just not thinking of. I know that sensitive data such as secure credentials are best stored on a service like Heroku using environment variables via Heroku's CLI with heroku config:add. But what about sensitive files, such as certificates? Specifically I'm wondering what I should do with my certificate for Apple Push Notifications (APN).
I'm taking a stab at implementing this myself since the silence in response to this question leads me to believe there aren't a lot of great alternatives there (and Urban Airship looks too expensive). From taking a gander at APN on Rails, I see that they actually store certificates in the database. Does that make sense? Or would it make sense to actually store the content of the certificate in an environment variable (not sure if that's even possible)?
Upvotes: 11
Views: 3374
Answers (4)
Reputation: 16796
For me the best solution was to encrypt the private keys in the certificate and store the password for decryption in Herokus environment variables.
Upvotes: 0
Reputation: 2624
I suggest creating a separate repository that contains the certificates, that only your inner circle of developers have access to.
To do so locally:
git clone myproject myprojectwithcerts
cd myprojectwithcerts
git add heroku [email protected]/myproject
Then you can add your certs to the "myprojectwithcerts," commit them, then push to Heroku.
git push heroku master
When changes occur in myproject
git pull origin master
As long as only your inner circle of developers can access Heroku to push/pull, only they can access your sensitive files.
Upvotes: -1
Reputation: 284
You can set the whole certificate in an environment variable.
See this answer: Multi-line config variables in Heroku
Upvotes: 7
Reputation: 11667
You might consider storing the cert in S3 which can be downloaded by each process at startup and stored in memory (or memcached/redis) for subsequent access.
If you're really feeling it you might consider creating your own buildpack which does the cert download at slug compile time and makes it available on the slug filesystem.
Upvotes: 3
Related Questions
- Is it safe to store secret keys in a .env file in my heroku server?
- Are Heroku's environmental variables a secure way to store sensitive data?
- Which environment variable to use on Heroku for services that only listen to https
- Are Heroku Config Vars safe for sensitive information?
- Location of Heroku SSL certs when using Automated Cert Management
- Where to store sensitive files for heroku platform?
- Am I supposed to create a file use .env or os.py to store my secret key
- Heroku environment variables specific to production
- Best Practice for Config Variables on Heroku
- where to store admin password in sinatra + heroku app?