How to keep API keys outisde of my git repo?

I just read it in the Meteo guide about OAuth API keys:

These should never be stored as part of your app’s source code in version control, because developers might copy code around to unexpected places and forget that it contains secret keys. You can keep your keys separately in Dropbox, LastPass, or another service, and then reference them when you need to deploy the app.

This means I should add my settings JSON file containing my API keys out of my git repo? But if I add it to .gitignore, I will lose the file when I’ll clone the repo from another computer… How do you handle it?

Thanks.

I just keep mine on my machine with multiple backups and an encrypted drive (OS X).

I’ve worked at companies before where keys have been kept in password managers. I think the main thing is to keep them separate from your code. For example, if you’re using CI and you’re connecting your Github account to them you’d better hope they don’t have a security issue because then you have one too.

For not-exactly-mission-critical stuff, I just keep a secret gist and go get it with wget as part of readying a repo for further work.

you@yours:~/proj$ wget -O ${HOME}/.envvars https://gist.githubusercontent.com/yourse1f-yourorg/f6fccc2f363778e4c02593320581744a/raw/e4817535414f0dfd1c2adae21dc816d0b21a0a1f/.envvars
you@yours:~/proj$
you@yours:~/proj$ cat ${HOME}/.envvars
#!/bin/bash
#
export GITHUB_KEY="5414f0dfd1c2adae21dc816d0b21";
export MAILGUNKEY="key-7268fff364215abd5eb00ff0575528";
export LOGGLYKEY="ccc2f363778e4c0259332";
you@yours:~/proj$
you@yours:~/proj$ source ${HOME}/.envvars;   # loads the three into local environment
you@yours:~/proj$

A neat trick for your settings.json, instead of the more usual, settings.json.example, is to source control an executable shell script file, such as, template.settings.json.sh. You can then do :

you@yours:~/proj$ ./template.settings.json.sh > settings.json;
you@yours:~/proj$
you@yours:~/proj$  cat settings.json
{
  "MAILGUN_DOMAIN": "yourpublic.work",
  "MAILGUN_KEY": "key-7268fff364215abd5eb00ff0575528",
  "LOGGLY_SUBDOMAIN": "yourwork",
  "LOGGLY_TOKEN": "ccc2f363778e4c0259332",
  "public": {
    "APP_META": {
      "Name": "Our App",
      "Privacy": "If you ain't paying for the product, you ARE the product.",
    }
  }
}
you@yours:~/proj$ 

The template would look like this :

you@yours:~/proj$ cat template.settings.json.sh
#!/bin/bash
#
cat <<EOF
{
  "MAILGUN_DOMAIN": "yourpublic.work",
  "MAILGUN_KEY": "${MAILGUNKEY}",
  "LOGGLY_SUBDOMAIN": "yourwork",
  "LOGGLY_TOKEN": "${LOGGLYKEY}",
  "public": {
    "APP_META": {
      "Name": "Our App",
      "Privacy": "If you ain't paying for the product, you ARE the product.",
    }
  }
}
EOF
you@yours:~/proj$

and you’d make it executable with :

you@yours:~/proj$ chmod +x ./template.settings.json.sh;
you@yours:~/proj$

Putting that all together … three lines and you’re all set up :

you@yours:~/proj$ wget -O ${HOME}/.envvars https://gist.githubusercontent.com/yourse1f-yourorg/f6fccc2f363778e4c02593320581744a/raw/e4817535414f0dfd1c2adae21dc816d0b21a0a1f/.envvars
you@yours:~/proj$ source ${HOME}/.envvars;   # loads the three into local environment
you@yours:~/proj$ ./template.settings.json.sh > settings.json;

keep your production.json file ONE DIRECTORY ABOVE your project directory. Now you never have to worry about it getting committed with your repo, but you can deploy like this

  "scripts": {
    "deploy": "meteor deploy --settings ../production.json example.com",

before you edit production.json make a backup. Or use something like Google Docs to keep a version history for you.

That’s exactly what I do too.

We use gnu pass (https://www.passwordstore.org/) as a password manager. It can store arbitrary strings in a safe way and is also suitable to store environment-variables or meteor-settings.json. It uses a git-repository to store the (encrypted) strings.

with some bash-pipe-magic you can also use it in scripts (it will prompt for a passphrase)

Thanks for your answers. It’s much more clear for me now.
I’ll see what suits best my needs.

Thanks!