Step by Step explanation for using Rails secrets.yml without exposing keys to public repo when deploying to Heroku

Question

I am using Rails 4.1.1 and ruby 2.0.0

I've currently ignored my secrets.yml file to my gitignore for github.

secrets.yml

development:
  secret_key_base: numb3r57ndl3tt3r5

test:
  secret_key_base: differentnumbersandletters13531515

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE'] %>

If this production key is dynamic, where does it read it from? Where do we provide that info? How does that info get to heroku without getting to github?

I already have a secret key environment variable in my heroku app's settings. I think it was created when I used the heroku_secrets gem https://github.com/alexpeattie/heroku_secrets to run the rake comment rake heroku:secrets RAILS_ENV=production

Can someone explain the conceptual steps, as well as the practical steps on how to utilize secrets.yml properly without exposing secret keys to the public?

If you can also go over with adding another secret key for a different API for instance, that would be much appreciated as well.

I'd like to understand what is happening in the steps in the explanation, rather than something like "do this, do this, do this". Also, if there is code, please specify which file it should be put in, instead of just giving the code, and assuming the reader will know where it goes just based on the code alone (stern look at heroku guide writers)

Thanks! =]

Answer 1

If you use this key <%= ENV["SECRET_KEY_BASE'] %>

On your local machine you can set environment vars in your shell, like (bash or zsh)

export SECRET_KEY_BASE="yourkeybasehere"

And simulate that you run on production (but at your local machine) like

RAILS_ENV=production rails s

However, deploying on Heroku, you can use what they call config vars, by running heroku config:set command for your app.

heroku config:set SECRET_KEY_BASE=yourkeybasehere

Then the Rails app will populate this config var into secret.yml

production:
  secret_key_base: yourkeybasehere

Hope this explains thing you need to understand.

Though, if you would like to play and test. One option is trying to edit your app/views/layouts/application.html.erb file and put the config var you want to display, for instance USERNAME config var

<!DOCTYPE html>
<html>
<head>
  <title><%= ENV['USERNAME'] %></title>
</head>
<body>

<%= yield %>

</body>
</html>

Then deploy to heroku and run

heroku config:set USERNAME=gwho

You should see 'gwho' at the page title.

More details about Heroku config vars: https://devcenter.heroku.com/articles/config-vars

More details about Rails 4.1 secrets.yml: http://edgeguides.rubyonrails.org/4_1_release_notes.html#config/secrets.yml

Answer 2

Here's a (hopefully simple) step by step guide FOR HEROKU that should be performed prior to pushing files (secrets.yml) to GitHub, or another host.

*I am not an expert on this topic but this worked well for me and seems like a good solution. It combines info from answers to this question as well as answers to this question (How do you keep secrets.yml secret in rails?) to provide a simple guide :)

1) Copy secrets.yml to another file named secrets_backup.yml

you should now have two files with the same content as secrets.yml

2) Add secrets_backup.yml to your .gitignore

3) Change the text in secrets.yml to the following

development:
  secret_key_base: <%= ENV["SECRET_KEY_BASE_DEV"] %>
test:
  secret_key_base: <%= ENV["SECRET_KEY_BASE_TEST"] %>
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

4) cd to your rails project folder on the command line

5) In the terminal type heroku config:set SECRET_KEY_BASE_TEST=<pasted key>, where <pasted key> should be copied and pasted from the test: secret_key_base:<key> which is in secrets_backup.yml

6) In the terminal type heroku config:set SECRET_KEY_BASE_DEV=<pasted key>, where <pasted key> should be copied and pasted from the development: secret_key_base:<key> which is in secrets_backup.yml

7) My secrets.yml file already had the SECRET_KEY_BASE instead of the actual key, so I suspect yours will too. But if not, set the SECRET_KEY_BASE variable as the other two were set above.

8) Push your repo to GitHub and Heroku

9) Smile because you're the G.O.A.T and show off your sweet website!