DEV Community

loading...

How do you handle open source projects and private config keys?

bellons91 profile image Davide Bellone ・1 min read

I'm planning to release on my GitHub account some projects related to the articles I'm writing.

The problem is that for these projects I need some private key that I don't want to share on the web. What's the best strategy for you?

I was thinking to have a local config file with the real keys and put that file under gitignore. But If I do so, I'll not be able to get them if I need to work from another PC.

How have you overcome this problem?

Discussion

pic
Editor guide
Collapse
dbanty profile image
Dylan Anthony

Best practice is to never commit any sensitive data (e.g. keys) to any repo. Ignore the file like you said and store a copy somewhere safe (DropBox, OneDrive, iCloud, whatever you use).

Note that if you’ve ever committed a sensitive file to a repository it’s still stored in the repository history. You have to use something like bfg to clean out sensitive files before making the repo public.

Collapse
bellons91 profile image
Davide Bellone Author

Luckily I have published only versions with <your-key-here> values.

So the best way is to ignore the config file, use it for local development and store a copy outside... Uhm, it looks cumbersome, but it makes sense

Collapse
podobaas profile image
Aleksey Podoba

Maybe you can use Azure Vault :) ?