Step by Step explanation for using Rails secrets.yml without exposing keys to public repo when deploying to Heroku

Question

I am using Rails 4.1.1 and ruby 2.0.0

I've currently ignored my secrets.yml file to my gitignore for github.

secrets.yml

development:
  secret_key_base: numb3r57ndl3tt3r5

test:
  secret_key_base: differentnumbersandletters13531515

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE'] %>

If this production key is dynamic, where does it read it from? Where do we provide that info? How does that info get to heroku without getting to github?

I already have a secret key environment variable in my heroku app's settings. I think it was created when I used the heroku_secrets gem https://github.com/alexpeattie/heroku_secrets to run the rake comment rake heroku:secrets RAILS_ENV=production

Can someone explain the conceptual steps, as well as the practical steps on how to utilize secrets.yml properly without exposing secret keys to the public?

If you can also go over with adding another secret key for a different API for instance, that would be much appreciated as well.

I'd like to understand what is happening in the steps in the explanation, rather than something like "do this, do this, do this". Also, if there is code, please specify which file it should be put in, instead of just giving the code, and assuming the reader will know where it goes just based on the code alone (stern look at heroku guide writers)

Thanks! =]

Answer 1

If you use this key <%= ENV["SECRET_KEY_BASE'] %>

On your local machine you can set environment vars in your shell, like (bash or zsh)

export SECRET_KEY_BASE="yourkeybasehere"

And simulate that you run on production (but at your local machine) like

RAILS_ENV=production rails s

However, deploying on Heroku, you can use what they call config vars, by running heroku config:set command for your app.

heroku config:set SECRET_KEY_BASE=yourkeybasehere

Then the Rails app will populate this config var into secret.yml

production:
  secret_key_base: yourkeybasehere

Hope this explains thing you need to understand.

Though, if you would like to play and test. One option is trying to edit your app/views/layouts/application.html.erb file and put the config var you want to display, for instance USERNAME config var

<!DOCTYPE html>
<html>
<head>
  <title><%= ENV['USERNAME'] %></title>
</head>
<body>

<%= yield %>

</body>
</html>

Then deploy to heroku and run

heroku config:set USERNAME=gwho

You should see 'gwho' at the page title.

More details about Heroku config vars: https://devcenter.heroku.com/articles/config-vars

More details about Rails 4.1 secrets.yml: http://edgeguides.rubyonrails.org/4_1_release_notes.html#config/secrets.yml