Securely providing the database password in a Rails app

13
votes

As you know, you MUST provide the correct database name, username, and password for the database in the config/database.yml file, or your Rails app will refuse to work.

In the default setup, your password is in plain text in the config/database.yml file. If your app is on a free GitHub repository, then your password is public information. This is not a viable option for a serious app. (It's OK for a tutorial exercise, provided that you don't use this password for anything else.)

I have a solution that has worked for me so far, but I'm wondering if there is something better. You can see my deployed example at https://github.com/jhsu802701/bsf .

What I do is set up the config/database.yml file to provide the username and password for the development environment programatically. For the development environment, I add commands to the config/database.yml script to acquire the development environment username (which is my regular username for the Debian Linux setup I use) and a blank password. (I give my username Postgres superuser privileges.) For the production environment, I add a command in the deployment script that acquires the username and password from files elsewhere on my account and writes this information to the config/database.yml file.

Is there a better solution?

Is there a Ruby gem that covers this? If not, I'm thinking of creating one.

4
ruby-on-railsdatabasepasswords

4 Answers

21
votes

The way that heroku does it, and a vast majority of other rails shops are with ENV variables

Export two variables to your environment, 

export POSTGRES_USERNAME='username'
export POSTGRES_PASSWORD='password'

then in your database.yml file you can do

username: <%= ENV['POSTGRES_USERNAME'] %>
password: <%= ENV['POSTGRES_PASSWORD'] %>
5
votes

This is how I make it work:

On terminal/cmd:

heroku config:set YOUR_DATABASE_PASSWORD=passywordy

Then, in /config/database.yml file;

production:
<<: *default
password: <%= ENV['YOUR_DATABASE_PASSWORD'] %>

(this password area is automatically generated when I used rails new my_app -d postgresql)

1
votes

On other than heroku export you variables to system environment (linux) by typing in bash export KEY=value Then you can call it in Rails by ENV['KEY']

e.g.
in bash:
export CMS_DATABASE_PASSWORD=MySecurePassword
in secrets.yml:
password: <%= ENV['CMS_DATABASE_PASSWORD'] %>

1
votes

Setting the environment variables as described in existing posts above, will only persist the environment variables for the duration of the current shell session.

To set the environment variables permanently, the export instruction(s) should be added to your shell config file. (Then run source ~/.bashrc to apply the changes to your current session)

TL;DR: If you're using BASH, add the export instruction(s) to ~/.bashrc.

While the above should suffice (if using BASH on most popular Linux distros), confidently identifying which config file to update for your shell can be quite tricky. The following post explains the reasons why and provides guidance on which config file to edit.

https://unix.stackexchange.com/questions/117467/how-to-permanently-set-environmental-variables