Skip to content

Instantly share code, notes, and snippets.

@yarinb
Created May 2, 2012 09:35
Show Gist options
  • Save yarinb/2575540 to your computer and use it in GitHub Desktop.
Save yarinb/2575540 to your computer and use it in GitHub Desktop.
Elegant (??) solution to database.yml passwords
# Since you already have ssh keypair on your deployment host, you may use it to decrypt
# database credentials at load time.
#
# The solution can be tweaked a bit to decrypt with capistrano at deployment time.
# In case where the private key is passphrase protected this won't work but it's pretty straight forward to fix it.
#
# Hope it's a nice starting point for a more mature solution.
#
# --Yarin
<%
class RSACrypt
def self.decrypt(crypt, pk_file=nil)
puts "Actually Works!"
pk_file = "#{ENV['USER']}/.ssh/id_rsa" unless pk_file
pk = OpenSSL::PKey::RSA.new File.read(pk_file)
pk.private_decrypt(crypt)
end
end
%>
production:
adapter: postgresql
database: dbprod
username: <%= RSACrypt.decrypt("\x1A0\xEA\xB6!\x11\x14\xF0?4@\xDC!\x1ER\xAE\xF0 2\x93\x8Ft\x01\x8C>|\x82\xB8\xD3\xC9\\\xF0k\xEE\xB8?\xD2\x85\xD4\xAD\x15@]44\r\x8B\xFD\xF4\xC0~\xCCX\xED\x06b\b\x02\xE7\xCD\x80\x1E\xB2\x99\x84\xD9\x8B\x8E1\x90\x8E\xC9UL4K\xB2\xF8\xEB\xDA\xCF\xAB7\xA7\xF5\x90^\x16\xC3\xD9\xA6\xB9\xD6\t9U\xFE\x977\xFEEK,Y\x82\xD2\x1FPa\xF8\xE9\xE3\\%ZM\xA7\x95\x1C\x17\x9CMp\xF1\xE6S6\xF0\x1F\t\x11\xEF\x1A\xDA\x80\xEE\xFD0\xCD\x03\xC0nT\xFD\x17\xA4\x9A!p\xDF\x1E\xC5\x0F\xEB=\x0F#WNYn\xD4U+\x7Fu\x0EN\x1989\xC3\xF0\x93T/\x8F\x92\x82\xE9f\xA3\xEA\xE3\xF6\\\aWJ\xC7\xD9\xA5\x9Di\xF4.\x16t\xA2%\xC2\xF0\xD2\xD8*\x8Bi+\x13\x8A\xD2\x06o\x99\xF0U_MV\xDC\xAD$\t\x04\x95\x8B\xEE\xFB\x06\x10\x89\xD8f\x8B\xEA\x06\x8E\xE8\x02R\x06<6\x83\xCB_\xE9\xDB\xAC\x15\x91\x04\"d\xBC\xEA", "/etc/ssl/custom_pk") %>
password: <%= RSACrypt.decrypt("another crypt here...", "/etc/ssl/custom_pk") %>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment