addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramFill 1linklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Houston Ruby Brigade Message Board › Securing database password in database.yml

Securing database password in database.yml

Anand V
user 63085942
Houston, TX
Post #: 1
Hello Ruby Brigade members,

How do folks normally secure the database password in the database.yml file?

I know we need to secure things at a system level and database level so that no one other than root and in my case user apache can read the file.

I need to know if there is a way to encrypt the password so that even if anyone gets access to the system they will not be able to easily figure out the password.

Thank you
Lester B.
Houston, TX
Post #: 9
In the Twelve Factor App architecture of web apps, the password is interpolated into database.yml at runtime, but stored in the environment:


The Twelve Factor App structure is the basis for Heroku, for example. Heroku stores passwords out of band with Heroku tools for managing the environment.

Of course, if you are not on Heroku, this only abstracts the problem one level...

But more to your question, "if anyone gets access to the system" it isn't your system anymore:

10 Immutable Laws of Security


Sammy L.
Richmond, TX
Post #: 1
What I normally do:

1) Don't check database.yml (or anything else containing a password or private key) into the repository.
2) Keep those files on the server, like you say, with limited readership
3) symlink to them on deploy
4) Lock down DB access to specific IP addresses, either through the use of a firewall, or in the case of mysql, never having 'username'@'%' (only localhost, or the IP address of the app servers if on different servers)

Thanks Lester for sharing, I hadn't read it before.

I don't know how I feel about using environment variables for this kind of thing. It seems like it could be a good idea, but recently I was feeling burned by these global variables because I was having a hard time figuring out a problem with an app due to them.
Anand V
user 63085942
Houston, TX
Post #: 2
Thank you Lester and Sammy, I will lock down the system and DB as mentioned. I have a VM from one of the providers and looking at my syslogs there are ton of people make attempts to ssh into the system. So far looks like locking down the system and the APF firewall are doing a good job. I do not know how VM's are managed, but looks like the hosting provider admins will be able to access any of my files.

Powered by mvnForum

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy