How to use Rails with SecretHub
This guide will show how you to load secrets from SecretHub into your Rails application. These could be database passwords, API keys, encryption keys, or anything else you’d like to keep secret.
Instead of putting secrets values in source code or config files, you’ll be able to load them on demand from a secure and central place.
Before you begin
Before you start using SecretHub with Rails, make sure you have completed the following steps:
- Set up SecretHub on your workstation.
- Have Ruby on Rails installed and have a project ready to use.
Step 1: Replace plaintext values with references
Collect all secrets from your source code, credentials.yml
, database.yml
or other config files, and use the SecretHub CLI to encrypt and store them.
To do this, copy the values to your clipboard and use the write
command and specify a path on SecretHub:
secrethub write --clip your-username/demo/api_key
In your Ruby code, read these secrets from environment variables:
api_key = ENV['API_KEY']
For secrets in your .yml
files, you can use ERB tags to load those from the environment too:
api_key: <%= ENV['API_KEY'] %>
Then, in your app launch script or runtime environment, you’ll have to set these environment variables.
But instead of using plaintext values, reference the secrets by the path you chose earlier, prefixed with secrethub://
:
export API_KEY=secrethub://your-username/demo/api_key
Step 2: Load secrets into your app
To load secrets into your app, you don’t have to incorporate a Ruby client or SDK of some sort. Your application code can stay SecretHub-agnostic.
Instead, you can use the CLI to automatically fetch and decrypt secrets the moment your app starts.
Simply wrap your app start command with secrethub run
and any environment variable that references a SecretHub secret will get updated to contain the actual secret value:
secrethub run -- rails server
That’s it! You have now provisioned the app without a secret being near it. 🎉
As an added bonus, secrethub run
keeps an eye on your log output to see if any secret accidentally gets logged and masks them from the output!
Additional Tips
Master key file
If you prefer to keep using the credentials.yml
and master.key
files, you can also store your master.key
on SecretHub.
This does mean that you’re not fully leveraging the features that SecretHub has to offer you, but it may still be good to have as an option.
To do this, you can pass the local path of the file to the -i
flag:
secrethub write -i master.key your-username/demo/master.key
After doing so, you can safely remove the local copy from your workstation.
You don’t have to change any code, because Rails automatically looks for the environment variable RAILS_MASTER_KEY
if there’s no master.key
file.
Now all there’s left, is to add a reference to it:
export RAILS_MASTER_KEY=secrethub://your-username/demo/master.key
Next Up: Deploy your app
It’s great if simple examples work locally, but they don’t mean much if they don’t work anymore in a real-world scenario. So to read more about actually deploying your app with SecretHub, see: