Skip to content

How do you handle open source projects and private config keys?

twitter logo github logo ・1 min read  

I'm planning to release on my GitHub account some projects related to the articles I'm writing.

The problem is that for these projects I need some private key that I don't want to share on the web. What's the best strategy for you?

I was thinking to have a local config file with the real keys and put that file under gitignore. But If I do so, I'll not be able to get them if I need to work from another PC.

How have you overcome this problem?

twitter logo DISCUSS (3)
markdown guide

Best practice is to never commit any sensitive data (e.g. keys) to any repo. Ignore the file like you said and store a copy somewhere safe (DropBox, OneDrive, iCloud, whatever you use).

Note that if you’ve ever committed a sensitive file to a repository it’s still stored in the repository history. You have to use something like bfg to clean out sensitive files before making the repo public.


Luckily I have published only versions with <your-key-here> values.

So the best way is to ignore the config file, use it for local development and store a copy outside... Uhm, it looks cumbersome, but it makes sense

Classic DEV Post from Nov 1 '19

Do developers have higher job satisfaction than non-developers?

Davide Bellone profile image
Fullstack in my past, backend in my future. C# and .NET in my 💘 But hey, even Angular is not so bad!

Be a better developer. Free forever.