Reputation: 2824
How do I securely store passwords in a configuration file in a Ruby/Rails web server environment?
I need to store payment gateway processor username/password credentials on a production web server, but would prefer not to do so in clear-text. What is the best way to store these credentials? Are their best practices for encrypting and decrypting this information?
Upvotes: 3
Views: 2302
Answers (2)
Reputation:
It's a classic chicken-egg problem. Encryption does not help you at all if you can't protect the keys. And you obviously can't.
What I would suggest is to try to make the other services / users use hashes towards your authentication code, and save those hashes instead. That way at worst you will lose the hashes, but it might prove hard (depending on the rest of the setup) to actually use them maliciously. You might also want to salt the hashes properly.
An other possibility would be using an external authentication store if you can't enforce using hashes. It does not really solve the problem, but you can control the attack vectors and make it safer by allowing only very specific contact with the actual source with the important data.
Upvotes: 2
Reputation: 5572
- Store outside of any directory that is web accessible.
- Make sure only the app processes have read access.
- Harden server.
Upvotes: 1
Related Questions
- What is the best solution to store password in rails yml file?
- Safe way to store decryptable passwords in ruby
- how to securely store authentication credentials in ruby client scripts?
- Rails storing third party credentials.. Anyone know best practice?
- Best way to encrypt user password via command line Ruby client to authenticate with a Rails application
- Store passwords in Ruby script
- How to securely store user passwords for an external application?
- Ruby encrypting passwords to be stored in config file
- Storing Passwords for Third Party Services
- Rails database - how to store encrypted data using the user's password?