How do you keep secrets.yml secret in rails?

Question

I\'m pretty new to rails, but I have some experience programming in PHP and other languages. I really like rails, and I\'m working on an application for my company, but I still

Answer 1

As far as I can tell Rails hasn't solved this one yet (as of Rails 4.2).

Here's a great summary of the mess situation

From Rails 4.1 there's a secrets.yml file that is for all your secrets, but it's not in .gitignore by default. People tell you to put it into .gitignore but that doesn't help Heroku users get it to production. There's a gem that can help with that. If you do that then you might as well just use the Figaro gem that does all that in a neater way.

From the default contents of the secrets.yml file it looks like the Rails developers intended for it to be included in source code repositories, but for any real secrets you're supposed to use environment variables and import those into the secrets file, which almost defeats the purpose.

If you want to use environment variables to hold the secrets, that means the underlying OS is storing them for you and when you need to use them you ask the OS what the variable is, that way it's not in your code at all. The command for setting the environment variables on Heroku looks like this:

heroku config:set YOUR_SECRET_VAR_NAME=your_secret

There are disadvantages to doing it this way. If you have a lot of secrets things will get messy fast, and it'll be hard to get it set up on a new machine.

the dotenv gem solves these problems letting you do environment variables without all the downsides of them. I recommend you use dotenv in conjunction with secrets.yml without putting sectrets.yml in the .gitignore and manually set environment variable on Heroku.

UPDATE

Rails 5.2 has finally solved this by encrypting all your secrets within then Rails app and the you only need to store one key in the environment variable.