How do you keep secrets.yml secret in rails?

Question

I\'m pretty new to rails, but I have some experience programming in PHP and other languages. I really like rails, and I\'m working on an application for my company, but I still

Answer 1

All very good questions. Although there is probably no serious harm in not securing development and test secrets, it is good practice to do so. There is no upside in revealing information which could potentially make it easier for a bad actor to access your application code or data.

As of Rails 4.1, config/secrets.yml can be used to manage all of your application secrets. This is described in the Rails 4.1 release notes. If you manage your secrets in this file, you should definitely include the file in .gitignore so that your secrets do not show up in your code repository, even if it is currently private. You never know if you will want to open source your code in the future or share your private repository with another collaborator. As you probably know, once you put a file in git, it can be an involved process to remove all traces of it. Alternatively, you could maintain a secrets.yml template in git so that you have source control of the format of your secrets file, but keep the actual secrets in a separate file.

How you manage your secrets in production depends on your deployment platform. If you deploy to your own server, you just need to make sure that you have a mechanism to separately maintain deployment of secrets.yml, since it will not be available in your git repository. You should be able to manage this through your deployment process using a tool like Capistrano or Mina. If you deploy to Heroku, you need to set config variables either through the Heroku CLI or the Heroku dashboard as described in the documentation.

Hope this helps.