How Do You Secure database.yml?

security ruby-on-rails deployment

Within Ruby on Rails applications database.yml is a plain text file that stores database credentials.

When I deploy my Rails applications I have an after deploy callback in my Capistrano recipe that creates a symbolic link within the application's /config directory to the database.yml file. The file itself is stored in a separate directory that's outside the standard Capistrano /releases directory structure. I chmod 400 the file so it's only readable by the user who created it.

  • Is this sufficient to lock it down? If not, what else do you do?
  • Is anyone encrypting their database.yml files?

The way I have tackled this is to put the database password in a file with read permissions only for the user I run my application as. Then, in database.yml I use ERB to read the file:

production:
  adapter: mysql
  database: my_db
  username: db_user
  password: <%= begin IO.read("/home/my_deploy_user/.db") rescue "" end %>

Works a treat.


You'll also want to make sure that your SSH system is well secured to prevent people from logging in as your Capistrano bot. I'd suggest restricting access to password-protected key pairs.

Encrypting the .yml file on the server is useless since you have to give the bot the key, which would be stored . . . on the same server. Encrypting it on your machine is probably a good idea. Capistrano can decrypt it before sending.


Take a look at this github solution: https://github.com/NUBIC/bcdatabase. bcdatabase provides an encrypted store where the passwords can be kept separated from the yaml files.

bcdatabase

bcdatabase is a library and utility which provides database configuration parameter management for Ruby on Rails applications. It provides a simple mechanism for separating database configuration attributes from application source code so that there's no temptation to check passwords into the version control system. And it centralizes the parameters for a single server so that they can be easily shared among multiple applications and easily updated by a single administrator.

Related

How to exclude designer.cs from Visual Studio file search
ISO-8859-1 vs UTF-8?
DropDownListFor in EditorTemplate not selecting value
Changing jQuery UI Button size?
Mercurial: copying ONE file and its history to another repository
How can I downgrade the OS on a Mac to the original one it came with?
How to make preview jump to a specific line on startup
How to disable Finder's "is available on your computer" message
two itunes libraries - one on external hard disk
MBP works fine but not visible on network
Windows 7 Bootcamp not recognising devices
Font Book does not Install all fonts