How Do You Secure database.yml?

Question

Within Ruby on Rails applications database.yml is a plain text file that stores database credentials.

When I deploy my Rails applications I have an after deploy callback

Answer 1

Better late than never, I am posting my answer as the question still remains relevant. For Rails 5.2+, it is possible to secure any sensitive information using an encrypted file credentials.yml.enc.

Rails stores secrets in config/credentials.yml.enc, which is encrypted and hence cannot be edited directly. We can edit the credentials by running the following command:

$ EDITOR=nano rails credentials:edit

secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
production_dbpwd: my-secret-password

Now, these secrets can be accessed using Rails.application.credentials.

So your database.yml will look like this:

production:
  adapter: mysql
  database: my_db
  username: db_user
  password: <%= Rails.application.credentials.production_dbpwd %>

You can read more about this here