Quick gem to help with passwords

mgreenly · February 21, 2013, 5:44pm

I’ve created a small gem called multa_arcana (latin for “Many Secrets”)
which allows one to store all Rails secrets in one file, which should
not
be checked into revision control, but other files then can be. Source
is
on GitHub - skandragon/multa_arcana

Usage:

add to Gemfile: gem ‘multa_arcana’

Create a file to hold the secrets: config/secrets.yml
While the filename can be changed, it is somewhat hard to do so without
modifying a file that is loaded fairly early, like application.rb. I
just
use the default. Currently to change this, one must pass in a file to
load
on the first call to retrieve a secret. API suggestions welcome.

Place in this file the various secrets your rails app needs to keep
secret:

db_username: john
db_password: my-super-secret-db-password
secret_token: lkasjdlkqjlkas…la9u9203udkd
redis: redis://user:password-for-redis@host
devise_pepper: 239ru2ij3jf9u02dhis…92930d02hdhdlka3

Use it wherever you need to:

config/database.yml:

production:
adapter: postgresql
encoding: unicode
database: thing_production
pool: 5
host: 127.0.0.1
username: <% MultaArcana::secret_for(:db_username) %>
password: <% MultaArcana::secret_for(:db_password) %>

config/initializers/secret_token.rb:

Thing::Application.config.secret_token =
MultaArcana::secret_for(:secret_token)

–
(Ruby, Rails, Random) blog: http://blog.flame.org/

mgreenly · February 21, 2013, 6:22pm

Michael G. wrote in post #1098246:

I’ve created a small gem called multa_arcana (latin for “Many Secrets”)
which allows one to store all Rails secrets in one file, which should
not
be checked into revision control, but other files then can be. Source
is
on GitHub - skandragon/multa_arcana

Interesting, but what advantage does this have over…

mgreenly · February 22, 2013, 9:05am

Why not just use environment variables?

mgreenly · February 21, 2013, 6:29pm

Probably none, but “settingslogic” didn’t appear in my search when I
looked
for ways to store secrets in a single file.

mgreenly · February 22, 2013, 3:16pm

Michael G. wrote in post #1098252:

Probably none, but “settingslogic” didn’t appear in my search when I
looked
for ways to store secrets in a single file.

Sure there is advantage to writing your own gem. You wrote it, and
shared it with the community. That’s AWESOME! I considered doing
something similar, until I ran across SettingsLogic.

Posted by unknown (Guest) on 2013-02-22 09:05
Why not just use environment variables?

Yes, environment variables are certainly an option, but I really like
the consistent API, and baked-in support for different environments that
SettingLogic provides.

mgreenly · February 24, 2013, 4:24pm

If it’s an issue of security…if somebody is already looking at your
processes, what’s keeping them from cd’ing to your application’s config
directory and reading secrets.yml?

mgreenly · February 24, 2013, 3:03am

Because environment variables show up in process lists.