Use GPG to keep your Rails secrets secure (opens in new tab)

(bugsnag.com)

19 pointsloopj11y ago3 comments

3 comments

I prefer using Symmetric Encryption: https://github.com/reidmorrison/symmetric-encryption

It's super simple to setup and maintain. The only pain-point is how to distribute the private key to new-users. Haven't quite found a super easy way to do that yet. Generally we just airdrop it to the person.

StavrosK11y ago

(Re-)encrypt it to their GPG keys of the people you want to have access and stick it in the repo?

joevandyk11y ago

I prefer storing secrets/api tokens in a database.

Runs the risk of leaking secrets via a sql injection exploit though, but if that happens, you're already screwed.

For development, we consider all keys/tokens available to developers as public -- i.e. for authorize.net accounts, those tokens are tied to test accounts.

j / k navigate · click thread line to collapse