Step by Step explanation for using Rails secrets.yml without exposing keys to public repo when deploying to Heroku

Question

I am using Rails 4.1.1 and ruby 2.0.0

I\'ve currently ignored my secrets.yml file to my gitignore for github.

secrets.yml

develo         


        

Answer 1

If you use this key <%= ENV["SECRET_KEY_BASE'] %>

On your local machine you can set environment vars in your shell, like (bash or zsh)

export SECRET_KEY_BASE="yourkeybasehere"

And simulate that you run on production (but at your local machine) like

RAILS_ENV=production rails s

However, deploying on Heroku, you can use what they call config vars, by running heroku config:set command for your app.

heroku config:set SECRET_KEY_BASE=yourkeybasehere

Then the Rails app will populate this config var into secret.yml

production:
  secret_key_base: yourkeybasehere

Hope this explains thing you need to understand.

Though, if you would like to play and test. One option is trying to edit your app/views/layouts/application.html.erb file and put the config var you want to display, for instance USERNAME config var

<!DOCTYPE html>
<html>
<head>
  <title><%= ENV['USERNAME'] %></title>
</head>
<body>

<%= yield %>

</body>
</html>

Then deploy to heroku and run

heroku config:set USERNAME=gwho

You should see 'gwho' at the page title.

More details about Heroku config vars: https://devcenter.heroku.com/articles/config-vars

More details about Rails 4.1 secrets.yml: http://edgeguides.rubyonrails.org/4_1_release_notes.html#config/secrets.yml

Answer 2

Here's a (hopefully simple) step by step guide FOR HEROKU that should be performed prior to pushing files (secrets.yml) to GitHub, or another host.

*I am not an expert on this topic but this worked well for me and seems like a good solution. It combines info from answers to this question as well as answers to this question (How do you keep secrets.yml secret in rails?) to provide a simple guide :)

1) Copy secrets.yml to another file named secrets_backup.yml

you should now have two files with the same content as secrets.yml

2) Add secrets_backup.yml to your .gitignore

3) Change the text in secrets.yml to the following

development:
  secret_key_base: <%= ENV["SECRET_KEY_BASE_DEV"] %>
test:
  secret_key_base: <%= ENV["SECRET_KEY_BASE_TEST"] %>
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

4) cd to your rails project folder on the command line

5) In the terminal type heroku config:set SECRET_KEY_BASE_TEST=<pasted key>, where <pasted key> should be copied and pasted from the test: secret_key_base:<key> which is in secrets_backup.yml

6) In the terminal type heroku config:set SECRET_KEY_BASE_DEV=<pasted key>, where <pasted key> should be copied and pasted from the development: secret_key_base:<key> which is in secrets_backup.yml

7) My secrets.yml file already had the SECRET_KEY_BASE instead of the actual key, so I suspect yours will too. But if not, set the SECRET_KEY_BASE variable as the other two were set above.

8) Push your repo to GitHub and Heroku

9) Smile because you're the G.O.A.T and show off your sweet website!