=== Storing Encrypted Secrets in Source Control The Rails `secrets` commands helps encrypting secrets to slim a production environment's `ENV` hash. It's also useful for atomic deploys: no need to coordinate key changes to get everything working as the keys are shipped with the code. === Setup Run `rails secrets:setup` to opt in and generate the `config/secrets.yml.key` and `config/secrets.yml.enc` files. The latter contains all the keys to be encrypted while the former holds the encryption key. Don't lose the key! Put it in a password manager your team can access. Should you lose it no one, including you, will be able to access any encrypted secrets. Don't commit the key! Add `config/secrets.yml.key` to your source control's ignore file. If you use Git, Rails handles this for you. Rails also looks for the key in `ENV["RAILS_MASTER_KEY"]` if that's easier to manage. You could prepend that to your server's start command like this: RAILS_MASTER_KEY="im-the-master-now-hahaha" server.start The `config/secrets.yml.enc` has much the same format as `config/secrets.yml`: production: secret_key_base: so-secret-very-hidden-wow payment_processing_gateway_key: much-safe-very-gaedwey-wow But that's where the similarities between `secrets.yml` and `secrets.yml.enc` end, e.g. no keys from `secrets.yml` will be moved to `secrets.yml.enc` and be encrypted. A `shared:` top level key is also supported such that any keys there is merged into the other environments. Additionally, Rails won't read encrypted secrets out of the box even if you have the key. Add this: config.read_encrypted_secrets = true to the environment you'd like to read encrypted secrets. `rails secrets:setup` inserts this into the production environment by default. === Editing Secrets After `rails secrets:setup`, run `rails secrets:edit`. That command opens a temporary file in `$EDITOR` with the decrypted contents of `config/secrets.yml.enc` to edit the encrypted secrets. When the temporary file is next saved the contents are encrypted and written to `config/secrets.yml.enc` while the file itself is destroyed to prevent secrets from leaking.