How to secure Postgres client certificates on Heroku

I'm connecting a Rails app hosted on Heroku, to an external PostgreSQL database using SSL certificates for authentication.

This requires three files: (1)the signed certificate (2)the key (3)the root ca certificate.

The signed cert and the root cert can both be added to the git repo, but the key must be kept secure.

For passwords, we would use ENV/'Config Vars' to keep things safe .... but how do I secure the key file?

I asked Heroku themselves, but they said this was "an issue that falls outside the nature of the Heroku Support policy."

So I'm asking the experts instead 😉

Solution

One way to avoid commiting the key file would I guess be to add the key to a ENV var and then setup a git hook or Procfile command that dumps the ENV var into a file (since the file system is reset every time you push). You can use the PGSSLKEY ENV var to set the file path.

How can I disable Hotwire / Turbo (the Turbolinks replacement) for all forms in a Rails application?
RSpec Stubbing out Date.today in order to test a method
How to specify a prefix when uploading to S3 using activestorage's direct upload?
Duration between two dates in Ruby (Rails)
CMS for ecommerce website in rails
Ruby gsub capturing groups
Can I switch to Amazon S3 later in Rails 7 after using local storage?
Rails 7/StimulusJS relative import: working on dev, but not production
Rails: ActiveSupport::MessageEncryptor::InvalidMessage
How can I unlock my gemfile so I can access the rails server?
What do I pass to schema_migration in ActiveRecord::MigrationContext#new
How do I stop Routing Errors errors from causing all sorts of warning?
Where do you put your Rack middleware files and requires?
How to prevent the <p> tag from wrapping around my input with tinymce in Rails?
Clickable Table Rows in Ruby on Rails
How to determine if one array contains all elements of another array
Adding page-specific CSS to Rails Asset Pipeline
Rails 7.1, log to STDOUT and log/production.log
Add custom fields to object in ROR application
Hit web endpoints behind Devise authentication with non-browser request in a Rails app
How to revert/undo local changes to an Activerecord object?
Disabling GraphQL introspection requests on production
carrierwave png thumbnails from svg upload
When rails app create database and collection when using MongoDb?
Sidekiq sending jobs to test queue instead of developement queue
rails assert_difference without specific difference value
How best to propogate an `admin` status to children using Rails and Ancestry
Rails minitest + authlogic cannot authenticate
How does bundler work (in general)?
`belongs_to` and `before_create` order in Rails