Charles Maxwood

Hey folks, welcome back to another episode of the Ruby Rogues podcast. This week on our panel, we have Valentino Stoll. Hey now. I'm Charles Maxwood from Top End Devs. And this week we're here with Brian Vallelunga. Now, you are the CEO and co-founder of Doppler. And that's an app that helps manage secrets. You probably have a better pitch than that. So I'll let you explain what you do.

Hey folks, welcome back to another episode of the Ruby Rogues podcast. This week on our panel, we have Valentino Stoll. Hey now. I'm Charles Maxwood from Top End Devs. And this week we're here with Brian Vallelunga. Now, you are the CEO and co-founder of Doppler. And that's an app that helps manage secrets. You probably have a better pitch than that. So I'll let you explain what you do.

And I think, I don't know, in the Ruby community, at least where I deal with people, and especially in Rails, right, we kind of understand what the secrets are at your passwords, maybe your, you know, you have your rails master key, which gives you access to the secrets in rails, but you also have like your, what is that? It's a token for your sessions. I can't remember what that's called anyway.

And I think, I don't know, in the Ruby community, at least where I deal with people, and especially in Rails, right, we kind of understand what the secrets are at your passwords, maybe your, you know, you have your rails master key, which gives you access to the secrets in rails, but you also have like your, what is that? It's a token for your sessions. I can't remember what that's called anyway.

So you need that secret key and yeah, people can compromise your security if you don't have that secured. Are there things besides like passwords and API keys that you consider secrets?

So you need that secret key and yeah, people can compromise your security if you don't have that secured. Are there things besides like passwords and API keys that you consider secrets?

Right. So I'm just going to kind of cover the.

Right. So I'm just going to kind of cover the.

basics of how i do this and then maybe you can tell us if there are other ways that you're seeing people do it but uh typically these kinds of things where i see them and i'm sure valentino's in kind of the same boat is they either show up in environment variables and or they show up in um in the rail secrets or and effectively what it is is it's a uh it's an encrypted file

basics of how i do this and then maybe you can tell us if there are other ways that you're seeing people do it but uh typically these kinds of things where i see them and i'm sure valentino's in kind of the same boat is they either show up in environment variables and or they show up in um in the rail secrets or and effectively what it is is it's a uh it's an encrypted file

And so then the encryption key is usually put into an environment variable or, you know, passed into the system that you're running it on on the other end in some way. And lately I've been doing my deployments with Kamal, which uses Docker. And so it kind of sets that all up when it sets up the container.

And so then the encryption key is usually put into an environment variable or, you know, passed into the system that you're running it on on the other end in some way. And lately I've been doing my deployments with Kamal, which uses Docker. And so it kind of sets that all up when it sets up the container.

But I've always kind of wondered because you can ask the system if you can get into it, what the environment variables are. So I don't even know if that's the best practice anymore.

But I've always kind of wondered because you can ask the system if you can get into it, what the environment variables are. So I don't even know if that's the best practice anymore.

What are you doing, Valentino? Is it kind of the same?

What are you doing, Valentino? Is it kind of the same?

Yeah, I remember using a system like this way back in the day. I think you had to log into their interface or use their command line interface in order to edit your secrets. And I can't for the life of me remember what it was called. But I played with it and it was cool. It was just there were steps to setting it up and I'm lazy. And so I just went back to what I was doing.

Yeah, I remember using a system like this way back in the day. I think you had to log into their interface or use their command line interface in order to edit your secrets. And I can't for the life of me remember what it was called. But I played with it and it was cool. It was just there were steps to setting it up and I'm lazy. And so I just went back to what I was doing.

I kind of want to dive in a little bit more on just why we protect the secrets. Because I think we all kind of intellectually know, but... I don't know when I get into stuff and I start, you know, dealing with the secrets, it's like, Oh, somebody got access to my, like my Stripe tokens. I mean, that, that could be really, really bad, really bad.

I kind of want to dive in a little bit more on just why we protect the secrets. Because I think we all kind of intellectually know, but... I don't know when I get into stuff and I start, you know, dealing with the secrets, it's like, Oh, somebody got access to my, like my Stripe tokens. I mean, that, that could be really, really bad, really bad.