On Nov 26, 10:07 pm, pepe <[EMAIL PROTECTED]> wrote: > Hello. > > I currently have an application deployed and running and just recently > I have been asked to encrypt the database password. The password is in > the database.yml file.
The key is to work out what you actually want to achieve. If you're worried about someone stealing your laptop and accessing your local copy of the database, then; - store you mysql data files on an encrypted partition. - if someone can get onto your machine, they'll also have to know the password to decrypt that partition, and hence access the database If you're worried about someone getting onto your production server, logging onto your database, and then stealing your data, then; - only allow access to your servers from trusted IPs (probably just your office) - ensure that root access via SSH is disabled - only allow access to servers via ssh-keys, and only use keys which have a password encoded - ensure that mysql is only accessible from your production servers - ensure that your production servers are up-to-date and kept up-to- date with the latest security patches. As an minor additional point, don't check in your database.yml use a separate one that is copied in when you deploy to your production servers. thereby removing any hints as to what your db usernames and password might be, until you've already hacked into your super-secure servers. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
