Reputation: 12650
Secrets.yml vs. ENV variables vs. Options?
As a novice with no CS degree it's hard distinguishing best practice vs. convention vs. security risks.
I use secrets.yml in combination with .rbenv-vars for my rails app because it seems to be easy. I understand I can use things like Figaro to do basically the same thing, but what is best practice and safest? For development, I just put my keys straight in secrets.yml and use env-vars for the production settings.
Can someone explain 1) Reasons for using env-vars instead of just using secrets.yml (provided its git-ignored! SO links are welcomed) 2) which is best practice and common convention?
Upvotes: 1
Views: 1657
Answers (1)
Reputation: 5049
Both are common-place. From a security standpoint, if somebody is able to access your environment variables, they will probably be able to access your code. Once your code is running, either way the values are in memory.
You will see that, by default, secrets.yml is configured to obtain the SECRET_KEY_BASE from the environment in production:
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
One good reason to have this is for the application to run in production. Having this functionality enables the key to be changed, and the application restarted, without modifying any files. For an application running in Cloud Foundry, Heroku, etc, this can be quite convenient.
Upvotes: 1
Related Questions
- Cannot install NodeJs: /usr/bin/env: node: No such file or directory
- Rails secrets.yml VS Dotenv VS Figaro with Capistrano on AWS
- Kubernetes: Rails credentials or the ConfigMap / Secret way?
- @ variables in Ruby on Rails
- Are there any reasons not to use RAILS_ENV=staging on Heroku?
- figaro vs. config_for: which is the better solution for storing security credentials?
- Rails: Passing API Keys to the Controller