How do I protect my private keys when using github, heroku, and developing locally?

Currently, I put the keys I use to access other API's and the like in the environment.rb file. That way it is available both when I run locally, and also on heroku.

However, I'd like to start to make my code available publicly via github so i can get some help.

What are the steps I need to do to make this happen, particularly so that I can test locally and test on heroku.

It seems like there's a way on heroku to add the keys from a command line, so they开发者_Python百科 don't need to reside in the ruby-on-rails app. But what about for local development?

You can use environment variables (config vars on heroku) to store your API keys and not check them into source.

For a project that I am working on, I use a fork of twitter-auth, and changed it to read the client secret and key from env variables:

http://github.com/dpmcnevin/twitter-auth/blob/ace5d60a8ed8121cca4c97ef30a0cd025b99bfe1/lib/twitter_auth.rb#L68

OAuth::Consumer.new(
  ENV['oauth_consumer_key'] || config['oauth_consumer_key'],          
  ENV['oauth_consumer_secret'] || config['oauth_consumer_secret'],
  options 
)

I then set up the keys in my .rvmrc in the project directory for local use:

export oauth_consumer_key=xxxxxxxxxxxx
export oauth_consumer_secret=xxxxxxxxxxxxxxxxxxx
rvm ree@redactify

And finally set up the environment variables on heroku:

$ heroku config:add oauth_consumer_key=xxxxxxxxxxxxx
$ heroku config:add oauth_consumer_secret=xxxxxxxxxxxxx
$ heroku config
DATABASE_URL          => postgres://.....
RACK_ENV              => production
oauth_consumer_key    => xxxxxxxxxxxxxxxx
oauth_consumer_secret => xxxxxxxxxxxxxxxxxxx

Then just make sure that your .rvmrc is in the .gitignore and then you can push to github without exposing any API keys.

Move them to an initializer and add the file to .gitignore

EDIT:

There is a directory in config called initializers. This is where you place code that is supposed to run once when your application starts. In the past, environment.rb was used for these settings, but initializers keep things better organized. I would create a file in the initializers directory called "load_keys.rb" or something like that. In this file, you would put the exact code that was in your environment.rb file that you don't want in github.

1. Put your private keys in ~/.ssh as usual.
2. Encrypt your private keys with a passphrase.
3. Install keychain.
4. Add eval $(keychain private-key-file1 private-key-file2 private-key-file3; source ~/.keychain/${HOSTNAME}-sh) to your ~/.bashrc, ~/.profile, ~/.bash_profile or what have you. (See the keychain man page for csh, tcsh, zsh, or whatever)