Where to store system passwords in the Rails directory tree?

Question

I have a number of 'system' passwords in my Rails app, such as database passwords and separate HTTP authentication passwords for an XML feed.

My trouble is knowing exactly how to store these passwords in my directory so they are as safe as they can be. What are your recommendations specifically for Rails 3?

Answer 1

Just make sure to store your config-files in the config-folder (or at least outside the public-folder ;). Besides this you should secure the access to your rails-app-user-account from outside (force ssh-pubkey authentication).

Another security-flaw is checked-in config-files with sensible password information (e.g. database-access). I alway add config/database.yml to .gitignore and check-in a default config/database.sample.yml as a template for other developers. The "real" config/database.yml is created and configured manually with environment-specific configuration-values.

Answer 2

encrypted in a database?

in environment config?

I've used both in the past. The reality is that HTTP passwords are more like an API key. The provider of the service has the responsibility that you can't do anything 'evil' with access. In general, recommend against putting anything in source control you don't want to be public. In the past, I've had to deploy separate key files outside of my app. If you're doing really secure stuff (a la credit cards), then you can do that. And just create a user on the server that has access to the keyfiles. Then you're actually using access to the Unix box as your security model, not the password to your keyfiles.