Cool Kids don't store plain-text

Não é de minha autoria, mas achei muito interessante essa maneira de proteger o database.yml. Segue:

Fonte: http://www.nofluffjuststuff.com/blog/david_bock/2009/12/cool_kids_don_t_store_plain_text

Nobody likes putting important passwords in a plain text config file. So what are your options?

1) Use a one-time, throw-away password
I typically do this for most Rails projects that I work on (e.g. user: “acme”, pass: “acme”)

2) Prompt for the password
Unfortunately there are times when access is tied to a real password. On my current project, the DB password is the same as my email password (served via LDAP).

Prompting in a config file? Yes, this is the default in Rails, and can be done easily in other Ruby projects. This is all you need to get a command-line password prompt when loading database.yml:
# Within config/database.yml or your custom config file... <textarea name='code' class='ruby'> # Within config/database.yml or your custom config file…<br /> <%</p> <ol> <li>Cool kids don’t store plaintext<br /> def prompt_for_password<br /> return <code>passwd if @passwd require 'highline/import' @passwd = ask("DB password: ") { |q| q.echo = false } end %> development: host: somehost.example.com username: arild.shirazi</code>example.com<br /> password: <%= prompt_for_password %><br />

If you are not using Rails, you will need to evaluate ERB within your config file whenever you load it:

BONUS: When using this method, your checked-in config/database-example.yml could be setup to work for all users out-of-the box. Just add some ERB to determine the correct mysql socket to use (<% system(mysql_config —socket) %>), and create a rake dependency that copies database-example.yml to database.yml when needed and you’re good to go.

NOTE: Feel free to roll your own prompts:

But using the highline library really improves readability. Also, using highline is a great way to promt from inside rake scritps.

Sei lá, acho que isso trás mais complicação do que benefício. Impede deploys automáticos, se o server cair não vai conseguir subir sem alguem ir lá e digitar a senha… acho que o principal problema foi não ter criado um user específico para a aplicação. Não vejo tanto problema em guardar o arquivo em plaintext, se o server não tem segurança física, não tem segurança nenhuma.

Mas valeu pela idéia, não conhecia =)

Concordo com o Fernando. Meu database.yml nao vai pro scm, fica no server.
Se alguem conseguir quebrar a minha chave RSA (cool kids disable ssh password auth)…