Jump to content
Please Use CODE Tags

Is GitIgnore OK (API keys)?

pythonmegapixel
By pythonmegapixel
in Programming
 Share
Posted

I'm writing an application which requires an API key. However, I also want to make this open source and push it to a public Git repository.

Obviously I don't want to give my API key out publicly.

 

My plan is to store the key in a file called secret.txt which will be read in at runtime, and add secret.txt to the .gitignore file before committing to the repo.

 

Is that a safe way of hiding it or do I need to something more to make sure others can't get a hold of it?

____________________________________________________________________________________________________________________________________

 

 

____________________________________________________________________________________________________________________________________

pythonmegapixel

into tech, public transport and architecture // amateur programmer // youtuber // beginner photographer

Thanks for reading all this by the way!

By the way, my desktop is a docked laptop. Get over it, No seriously, I have an exterrnal monitor, keyboard, mouse, headset, ethernet and cooling fans all connected. Using it feels no different to a desktop, it works for several hours if the power goes out, and disconnecting just a few cables gives me something I can take on the go. There's enough power for all games I play and it even copes with basic (and some not-so-basic) video editing. Give it a go - you might just love it.

Link to comment
https://linustechtips.com/topic/1321245-is-gitignore-ok-api-keys/
Share on other sites
Link to post
Share on other sites
Posted

normally you would save these in a .env file then load them into your environment before starting your application.

 

for node i use env-cmd, for python i use python-dotenv. You didn't say what language you are using but this is a common pattern and there should be some module to help you out

 

https://www.npmjs.com/package/env-cmd

https://pypi.org/project/python-dotenv/

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
Posted
  • Author
1 minute ago, vorticalbox said:

normally you would save these in a .env file then load them into your environment before starting your application.

 

for node i use env-cmd, for python i use python-dotenv. You didn't say what language you are using but this is a common pattern and there should be some module to help you out

This doesn't answer the question though. If I just put .env in the .gitignore file, is that sufficient security to prevent the key from accidentally reaching the public repository, or do I have to do something else?

____________________________________________________________________________________________________________________________________

 

 

____________________________________________________________________________________________________________________________________

pythonmegapixel

into tech, public transport and architecture // amateur programmer // youtuber // beginner photographer

Thanks for reading all this by the way!

By the way, my desktop is a docked laptop. Get over it, No seriously, I have an exterrnal monitor, keyboard, mouse, headset, ethernet and cooling fans all connected. Using it feels no different to a desktop, it works for several hours if the power goes out, and disconnecting just a few cables gives me something I can take on the go. There's enough power for all games I play and it even copes with basic (and some not-so-basic) video editing. Give it a go - you might just love it.

Link to post
Share on other sites
Posted
3 minutes ago, pythonmegapixel said:

This doesn't answer the question though. If I just put .env in the .gitignore file, is that sufficient security to prevent the key from accidentally reaching the public repository, or do I have to do something else?

yes.

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to post
Share on other sites
Posted

So just covering some basics, files you are about to commit are called staged files, so when you do a `git commit -m "Hello world"` you will be creating a new change with the staged files.

 

Entries in the `.gitignore` file will prevent you from staging those files. So if you put `.env` file name in your `.gitignore` you won't stage it, however I can't speak for git gui tools and how they work, like @duncannahyou can force stage a file.

 

Usually before I commit work I check what is staged, you can do this with `git status` so if you see your `.env` file is staged, then you can unstage the file with `git reset .env`.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programming

×