software hygiene: encrypt your secrets

Most of my projects have a Rakefile because common tasks should be expressed in code instead of english and Rake is a great way to codify those common tasks. One thing that I have seen developers do is check-in secret tokens into their repositories in plaintext. I have done this as well. It is the simplest thing to do but it is terrible practice so to atone for my past sins and get others to not check-in secret tokens here is some code I now use to handle secret tokens. Adapt to your own workflow accordingly.

First make sure you have gpg installed for your platform because we are going to shell out to gpg for all our encryption and decryption tasks. Done? Good. Here’s the snippet all my Rakefiles use for encryption and decryption

Now let’s put the above method to some use.

Never check-in certificates for your server in plaintext

Now that you have only encrypted certificates you will also need to decrypt them for deploying

Similarly any secret keys should always be encrypted

You will need to decrypt them to make any use of them

Adding the relevant .gitignore and check-in hooks is left as an exercise for the reader.