A Rails app often has to connect to other services via an api key. For example, if you want users to be able to log in via their google credentials. One problem this raises is how to secure these api keys.<\/p>\n
The solution I’ve used in my latest app, was to encrypt the key in the database. With this solution, the key is:<\/p>\n
I decided to base my solution on a Setting model I had used in another app<\/a>. This would give me a way of storing the setting data, and retrieving it.<\/p>\n However, each setting value is stored in plain text in the database, so the setting would not only be accessible via the app, but also directly from the database.\u00a0The value needed to be encrypted. <\/strong>I decided that I would not want to encrypt all settings, so I wanted encryption to be an optional setting.<\/p>\n The end result was mournful settings<\/a>.<\/p>\n With this in place I was able to store my api keys and secrets encrypted in the database and retrieve them like this (example from devise initializer):<\/p>\n I used seeding to set up the setting objects with invalid values, and exposed the setting model via active_admin<\/a> with this register:<\/p>\n In this way api keys can be accessed via administrators and modified as needed. <\/p>\n Of course, this is only as secure as the active admin interface, but that’s fine for this project. If I was being paranoid, I’d not expose the setting model via a web interface, and instead create and edit settings via the console.<\/p>\n An update<\/strong> A Rails app often has to connect to other services via an api key. For example, if you want users to be able to log in via their google credentials. One problem this raises is how to secure these api … Continue reading
\n :google_oauth2<\/span>,
\n Setting.for<\/span>(<\/span>:google_client_id<\/span>)<\/span>,
\n Setting.for<\/span>(<\/span>:google_client_secret<\/span>)<\/span>
\n)<\/span><\/div><\/div>\n
\n
\n actions :all<\/span>, :except<\/span> =><\/span> [<\/span>:destroy<\/span>]<\/span>
\n
\n index do<\/span>
\n selectable_column
\n column :name<\/span>
\n column :description<\/span>
\n column :value<\/span>
\n column :encrypted<\/span>
\n default_actions
\n end<\/span>
\n
\n form do<\/span> |<\/span>f|<\/span>
\n f.inputs<\/span> "Details"<\/span> do<\/span>
\n f.input<\/span> :name<\/span>
\n f.input<\/span> :description<\/span>
\n f.input<\/span> :value<\/span>, :input_html<\/span> =><\/span> {<\/span>:value =><\/span> setting.value<\/span>}<\/span>
\n f.input<\/span> :encrypted<\/span>
\n end<\/span>
\n f.buttons<\/span>
\n end<\/span>
\n
\nend<\/span><\/div><\/div>\n
\nRecently I needed to secure some api keys without putting them into the database, and I used figaro<\/a>. Definitely worth a look at if you need to secure api keys without having to exposed them via an admin interface.<\/p>\n","protected":false},"excerpt":{"rendered":"