Reputation: 43
Hide credentials in a public repo, which is being used to deploy live
What are best practices in hiding credentials, such as API keys or database credentials, in a public repo such as GitHub? My go-to solution is to have a config file which stores the credentials, then add a gitignore file to not include the config file during push.
The caveat is this repo is being used to deploy with every push, e.g. Netlify or Heroku. So a Netlify / Heroku website is online from the repo push. In this case, if there is an API call or database request, the credentials would need to be in the public repo, as this is the "production folder".
I've heard of Travis CI, and that it could build after a GitHub push, but I have not looked into it much. How do other projects use their credentials when deploying from a public repository?
Upvotes: 4
Views: 2404
Answers (1)
Reputation: 76499
Generally the way that folks pass secrets to their code is through the environment, which is considered a best practice. Here's why:
- Secrets in the environment are never written to disk, so there's much less accidental risk of discovery or disclosure.
- Secrets in the environment are only visible to other processes with the same user ID, which is helpful when deploying to hardware.
If your credentials are small enough, you can use the secret store or environment store of whatever provider you're using. All major CI providers have this and I expect most major hosting sites do as well; I know Heroku does. Things like SSH keys which must be files can be written to disk from the environment, ideally into a temporary directory which is cleaned up.
If you're deploying to your own infrastructure, generally you'll have some encrypted secret store for this purpose. Vault is a common one.
If you need credentials that are for development, you can structure your code such that there's a safe default (like the hard-coded phrase secret) for development use if no variable is set, or you can provide a set of fallbacks in development and test code. Some projects also use .env files, although this requires additional code which some people don't want to install.
If you have huge credentials that you cannot store in your secret store, you can encrypt them and store the passphrase in the secret store.
Upvotes: 3
Related Questions
- Hiding my sensitive information (e.g. password) from github
- Hide mongodb password using heroku so I can also push to public repo on github
- How to hide password in git repository?
- Hiding Confidential Data From Git But pushing to Heroku
- Keeping production configuration files hidden from developers
- How to prevent personal info to be shown in public repo on github?
- keep http authentication private in a public github repo?
- How to hide SQL username and passwords from Github if using AppHarbor/Heroku to deploy?
- managing production credentials in heroku
- How can I upload my application to github but remove sensitive authorization information?