你如何在rails中保密secrets.yml秘密？ [英] How do you keep secrets.yml secret in rails?

问题描述

我对rails很新，但是我有一些使用PHP和其他语言编程的经验。我非常喜欢rails，我正在为我的公司开发应用程序，但我仍然不完全了解secrets.yml文件如何与git和heroku配合使用。我明白，秘密是用于身份验证，但我不明白如何保持秘密，同时仍通过git部署到heroku。

第一个问题是，我真的需要保持我的发展和测试秘密的秘密？ Rails自动将生产开发秘密设置为环境秘密（但我仍然不完全明白），但为什么人们知道我的开发和测试秘密是什么？

<其次，什么是更好地理解与git一起使用secrets.yml文件的好资源？ Rails指南似乎并没有很好地使用它（只有一个段落专门用于secrets.yml），这似乎是一个非常重要的话题，可能会导致应用程序出现严重的安全漏洞。

最后，其他人如何保护他们的秘密？看看github上的几个示例应用程序，我注意到大多数人似乎没有采取任何措施将密钥文件保存在.gitignore中。这仅仅是一个疏忽，还是因为它不像我认为的那样严重的安全问题？

感谢任何帮助。我一直在研究这个问题一段时间，并没有真正得到任何全面的解决方案。我想将我的项目呈现给我的公司，并解释使用版本控制系统（如git）的优势，但我也希望应用程序足够安全，以确保它能保护我公司的数据安全。

解决方案

下面是一个应该在将文件（secrets.yml）推送到GitHub或其他主机之前执行的FOR HEROKU分步指南。

*我不是这个主题的专家，但是这对我来说很好，似乎是一个很好的解决方案。它结合了这个问题的答案以及这个问题的答案（使用Rails secrets.yml时，解释如何在部署到Heroku时不暴露公共回购密钥），以提供一个简单的指南：）

1）将secrets.yml复制到另一个名为secrets_backup.yml的文件中，您现在应该拥有两个与秘密内容相同的文件。 yml

<2>将 secrets_backup.yml 添加到您的.gitignore

$ b $ 3）将 secrets.yml 中的文本更改为以下内容：

 开发：
 secret_key_base：<％= ENV [SECRET_KEY_BASE_DEV]％> 
 test：
 secret_key_base：<％= ENV [SECRET_KEY_BASE_TEST]％> 
产量：
 secret_key_base：<％= ENV [SECRET_KEY_BASE]％> 
  

<4> cd 到您的rails项目文件夹在终端类型 heroku config：set SECRET_KEY_BASE_TEST =<粘贴键> 中，
其中< pasted key> 应该从 test：secret_key_base：< key> 在 secrets_backup.yml





中6）在终端类型 heroku config：设置SECRET_KEY_BASE_DEV =<粘贴键> ，
，其中<粘贴键> 应该被复制并从<$ c $粘贴c> development：secret_key_base：< key> 其中 secrets_backup.yml

7）我的 secrets.yml 文件已经有了SECRET_KEY_BASE而不是实际的密钥，所以我怀疑你也会。但是，如果没有，请设置SECRET_KEY_BASE变量，因为其他两个设置在上面。

8）将您的repo推送到GitHub和Heroku

9）微笑，因为你是GOAT，炫耀你的甜蜜网站！

I'm pretty new to rails, but I have some experience programming in PHP and other languages. I really like rails, and I'm working on an application for my company, but I still don't fully understand how the secrets.yml file works with git and heroku. I understand that secrets are used for authentication, but I don't understand exactly how to keep them secret while still deploying to heroku through git.

First question is, do I really need to keep my development and test secrets a secret? Rails automatically sets production development secret to the environment secret (which I still don't fully understand), but why would it matter if people knew what my development and test secrets are?

Secondly, what is a good resource to better understand using secrets.yml file in conjunction with git? The rails guide doesn't seem to document using it very well (only about a paragraph is dedicated to secrets.yml), and this seems like a pretty important topic that could lead to a serious security flaw in your application.

Finally, how do other people protect their secrets? Looking at several example apps on github, I've noticed that most people don't seem to take any steps to keep the secrets file in .gitignore. Is this simply an oversight, or is it because it isn't as serious of a security matter as I think it is?

I appreciate any help I can get. I've been researching this particular issue for a while and haven't really gotten any comprehensive solutions to the problem. I want to present my project to my company and explain the advantages of using version control systems like git, but I also want the app to be secure enough to trust that it is keeping my company's data safe.

解决方案

Here's a (hopefully simple) step by step guide FOR HEROKU that should be performed prior to pushing files (secrets.yml) to GitHub, or another host.

*I am not an expert on this topic but this worked well for me and seems like a good solution. It combines info from answers to this question as well as answers to this question (Step by Step explanation for using Rails secrets.yml without exposing keys to public repo when deploying to Heroku) to provide a simple guide :)

1) Copy secrets.yml to another file named secrets_backup.yml

you should now have two files with the same content as secrets.yml

2) Add secrets_backup.yml to your .gitignore

3) Change the text in secrets.yml to the following

development:
  secret_key_base: <%= ENV["SECRET_KEY_BASE_DEV"] %>
test:
  secret_key_base: <%= ENV["SECRET_KEY_BASE_TEST"] %>
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

4) cd to your rails project folder on the command line

5) In the terminal type heroku config:set SECRET_KEY_BASE_TEST=<pasted key>, where <pasted key> should be copied and pasted from the test: secret_key_base:<key> which is in secrets_backup.yml

6) In the terminal type heroku config:set SECRET_KEY_BASE_DEV=<pasted key>, where <pasted key> should be copied and pasted from the development: secret_key_base:<key> which is in secrets_backup.yml

7) My secrets.yml file already had the SECRET_KEY_BASE instead of the actual key, so I suspect yours will too. But if not, set the SECRET_KEY_BASE variable as the other two were set above.

8) Push your repo to GitHub and Heroku

9) Smile because you're the G.O.A.T and show off your sweet website!

这篇关于你如何在rails中保密secrets.yml秘密？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！