Best IT Recipes

When you have a secret key in your project, how can I click on GitHub?

I am trying to promote a new, empty Rail 3.0.4 project on GitHub, but I just understand that there is a secret key in the cookie session store:

In config/initializers/secret_token.rb

 NewRuby192Rails304Proj::Application.config.secret_token = '22e8...'

So, how can we avoid clicking it on GitHub? We can ignore this file (using .gitignore ), but without this file the Rails application will not start at all (and is not a complete Rails application). Or, as a rule, other files or frameworks may have files containing private keys. In this case, how should this be handled when clicking on GitHub?

+22
git github secret-key
Feb 27 '11 at 8:11
source share
4 answers

Add to your repo:

  • its template ( secret_token.rb.template ),
  • a script is able to generate the correct secret_token.rb configuration secret_token.rb based on local data found on the server (for example, an encrypted file with a secret value that is ready for decoding and placed in a secret_token.rb file)

From there, add a custom git attribute driver:

enter image description here

The above script will be your ' smudge ' script, which, when controlling the working tree, automatically generates the correct file.

+24
Feb 27 '11 at 10:09
source share

Put the secret key in some external configuration file. What we do.

+7
Feb 27 '11 at 8:13
source share

There are several external tools that do just that. Basically, these tools encrypt the file with your private data and store it in VCS, but ignore the original unencrypted file.

One of the most famous and reliable blackbox . It uses gpg to encrypt your files and works with both git and hg . By the way, it was created by the SO team. Take a look at the alternatives section; it has at least five other tools.

I can also recommend you the git-secret tool, it also uses gpg . But it only works with git . The main advantage is that the workflow is much simpler compared to other tools.

+2
Mar 10 '16 at 22:26
source share

You may risk trusting Github's security / privacy if it's a private repository .. or:
- Extract the data from the configuration file on the server. For example, if you use Capistrano for deployment, you can add a step that copies the configuration file somewhere on the server.
- Use an environment variable.

+1
Feb 27 '11 at 8:19
source share


More articles:


All Articles