Home/ Questions/Q 8565229
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-11T17:22:41+00:00

I don’t want to check my production username and password into version control for

  • 0

I don’t want to check my production username and password into version control for security purposes. If I do check it in, everyone will be able to see it. Here is the database.yml file as it is checked into version control:

# /config/database.yml:
production:
  adapter: mysql2
  encoding: utf8
  reconnect: false
  database: desk_production
  pool: 5
  username: root
  password: password_here

As you can see, ‘password_here’ is checked in as the password – but this is an invalid password if ever checked against the production database. I basically have two options other than checking my live password into version control:

  1. Save the real database.yml file on the production server in a directory above the application root. Make a capistrano recipe to create a symbolic lync to that file when the app is deployed – this would basically overwrite the database.yml file checked into version control.
  2. Save the real database.yml file (just like in option #1), but instead of making a symbolic lync, import it into database.yml file checked into version control. This will allow the system to reference the existing file on the server each time the app is deployed without deployers worrying about changing the password or creating symbolic lyncs. Also, I could have the permanent database.yml file which stays on the server set so the deployer can’t see it…

I like the second option the most, it would basically look something like this:

# Config file permanently stored on the web server:
# ../app_root/database.yml (notice this is one level up from the app so it doesn't get written over)

# This is the file checked into version control:
production:
 << ../app_root/database.yml
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Or you can read it from an environment variable:

    production:
  ...
  password: <%= ENV['DB_PASSWORD'] %>
  ...

    You just need to make sure that the user that starts your rails app has the environment variable set in their profile so it will be available in the ENV hash. For example, I often use a deployer user to deploy apps via capistrano, so I have export DB_PASSWORD=the_password set in that user’s ~/.bashrc file (of whatever is the proper place for it to go for the system you’re deploying to).

    This way, it’s part of your source control in the sense that everyone will know where to set the password, but the password itself is not part of your source control. You’ll need to keep that secret, obviously.

    It wasn’t immediately obvious to me either, but .yml files can have embedded ruby in them, similar to .erb templates, though I have run into situations where things like this didn’t work when the environment variable itself had certain special characters in it.

    • 0