How to safely store API keys in Rails apps
source link: https://blog.arkency.com/2017/07/how-to-safely-store-api-keys-in-rails-apps/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Inspired by a question on reddit: Can you store user API keys in the database? I decided to elaborate just a little bit on this topic.
Assuming you want store API keys (or passwords for SSL ceritifcate files) what are your options? What are the pros and cons in each case.
Save directly in codebase
#config/environments/production.rb
config.mailchimp_api_key = "ABCDEF"
Cons:
- Won’t work with dynamic keys provided by users of your app
- Every developer working on your app knows API keys. This can bite you later when that person leaves or is fired. And I doubt you rotate your API keys regularly. That includes every notebook your developers have, which can be stolen (make sure it has encrypted disc) or gained access to.
- Every 3rd party app has access to this key. That includes all those cloud-based apps for storing your code, rating your code, or CIs running the tests. Even if you never have a leak, you can’t be sure they don’t have a breach in security one day. After all, they are very good target.
- Wrong server configuration can lead to exposing this file. There has been historical cases where attackers used
../../something/else
as file names, parameter names to read certain files on servers. Not that likely in Rails environment, but who knows. - In short: when the project code is leaked, your API key is leaked.
- Least safe
Save in ENV
config.mailchimp_api_key = ENV.fetch('MAILCHIMP_API_KEY')
Pros:
- Won’t work with dynamic keys provided by users of your app
- Relatively easy. On Heroku you can configure production variables in their panel. For development and test environment you can use dotenv which will set environment based on configuration files. You can keep your development config in a repository and share it with your whole team.
Cons:
- If your
ENV
leaks due to a security bug, you have a problem.
Save in DB
class Group < ApplicationRecord
end
Group.create!(name: "...", mailchimp_api_key: "ABCDEF")
- Works with dynamic keys
- If you ever send
Group
as json, via API, or serialize to other place, you might accidentally leak the API key as well. Take caution to avoid it. - If your database or database backup leaks, the keys leaks as well. This can especially happen when developers download backups or use them for development.
Save in DB and encrypt (secret in code or in ENV)
class Group < ApplicationRecord
attr_encrypted_options.merge!(key: ENV.fetch('ATTR_ENCRYPTED_SECRET'))
attr_encrypted :mailchimp_api_key
end
Group.create!(name: "...", mailchimp_api_key: "ABCDEF")
- use attr_encrypted
- and already mentioned dotenv
For the sensitive API key to be leaked, two things needs to happen:
- DB leak
- ENV or code leak, which contain the secret you use for encryption
- If only one of them happens, that’s not enough.
- The safest approach
- A bit more complicated, but not much
- Your test might be a bit slower when you strongly encrypt/decrypt in most important models, which are used a lot
Use encrypted Rails secrets
- Configure
RAILS_MASTER_KEY
env variable on your development and production environment - Edit
config/secrets.yml.enc
usingbin/rails secrets:edit
and commit + push the changes - Set
config.read_encrypted_secrets = true
at least inconfig/environments/production.rb
- Use
Rails.application.secrets
in the application code - Read more
- Your API keys are encrypted
- The keys are versioned using your version control system such as GIT
- Does not work with dynamic keys
Would you like to continue learning more?
If you enjoyed the article, subscribe to our newsletter so that you are always the first one to get the knowledge that you might find useful in your everyday Rails programmer job.
Content is mostly focused on (but not limited to) Ruby, Rails, Web-development and refactoring Rails applications.
Recommend
-
10
You just got a new Arduino board (maybe a wifi enabled one), you wrote a useful application and you are about to share it on GitHub. If your code looks like this: #include <WiFi101.h> char ssid[] = "myessid" char p...
-
13
Safely migrating hasandbelongstomany associations to Rails 4 During recent days I’ve been migrating a senior Rails application from Rails 3 to Rails 5. As part of the process, I was dealing with has_an...
-
4
@zapaloteMiguelScientist by training, creative spirit by choice.IT history is plastered with failures to keep secrets, such as when millions of u...
-
5
If you’re vaccinated against COVID-19 and back out in the world, chances are you’re encountering requests for your vaccination card.An increasing number of places require visitors to prove their vaccination status before being allowe...
-
9
How to Export Firefox Bookmarks and Store Them Safely By Joy Okumoko Published 2 hours ago Whether you're switc...
-
2
Mac or iPhone full? Store files safely for life with 10TB Prism Drive for $89.
-
9
SAP BTP – Safely consume your app secrets with Credential Store Assuming you are a developer, you probably ran into the need to access some secret from your app. For example a user/password/key to connect a remote system....
-
3
How to Find Your Vaccine History—and Store It SafelyWorries about polio, monkeypox, and Covid-19 are rising. Here’s how to gather your health information, even if you’ve lost the paper records.
-
6
It was only a matter of time — Western Digital, SanDisk Extreme SSDs don’t store data safely, lawsuit says The suit is seeking class-action certification. ...
-
7
Next Up Cars 14 Classic Muscle Cars That Are Actually Worth Owning Today ...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK