- the dotenv gem
- the figaro gem
- the rbenv-vars plugin
I looked at each but of these and at a number of other ad-hoc workflows based on, more or less, the same ideas.
They would solve the problem but I found each to be somewhat inelegant. I was looking for a solution that makes both reading in the credentials and their deployment as smooth as possible. So I came up with the following workflow:
1. create config/secrets.yml
Since 4.1 secrets.yml is supposed to be the "official" container of sensitive data.
2. Put it in .gitignore
Surprisingly, this is not done yet by default when you start with a scaffold.
3. Use econfig to read in the credentials in the application
The econfig link above explains the changes that need to be made in the code base - and they are really minimal.
In essence, econfig reads in by default a number of files that might contain credentials - including config/secrets.yml. It makes it possible to refer to these in the application as
4. Use capistrano-secrets-yml to deploy config/secrets.yml in production.config.credential
This workflows seems really very minimal - the two gems complement each other nicely and make the process smooth - I tested it and I am happy with it.