skwpspace yan pritzker’s home on the web

Encrypted db passwords for Rails with database.yml and erb

Some people are upset that database.yml can expose passwords in plaintext. However, there is a pretty simple way to get encryption into database.yml. Because the database.yml file is actually run through an ERB interpreter by Rails, we can put code into our file:

##### database.yml #####
production:
  adapter: oci
  username: user
  password: <%= PROD_DB_PASSWORD.decrypt(PROD_KEYFILE) %>
  host: host/schema

####### local.rb #######
class String
  def decrypt(keyfile)
   #do some magic to apply the keyfile to the password
  end
end

That’s all there is to it! Simply plugin any key-based encryption routine in there. In my case we were using a triple des two way encryption that was actually done by an external Java program. I simply invoked the java interpeter using backticks and got the output which was my decrypted password.

If someone already had access to your database.yml file, wouldn’t they also conceivably have access to your key file and general encryption routine? If that is true, it seems like the encryption process would boil down to little more than simple obfuscation.

Nathan, in theory your keyfile should be readable only by a system user, as should your database.yml file. Assuming your intruder has already gained access to the files, it still means he has to understand how to invoke the decryption scheme, so it’s adding one more step to the breakin process. For example if your attacker didn’t understand Ruby he could still read the password out of your file, but if it’s encrypted now he has to go through the decryption step. It’s not foolproof but neither is the lock on the door to your house. It’s just there as a deterrent.

gay teens wrestling

poker chips ace jack