Best place to store secret keys in Rails

If my code will not be shared, and

My Rails app is on my own server, then

Does it make a difference if the secret keys are in environment variables or ~/config/secrets.yml ?


I would say, no, it doesn't matter. A couple other ways to do it is to store the secrets in your database (assuming your database is secure), or as environment variables.


Probably not. But if the configuration comes from the environment, and the Apache/Nginx config are owned by a different user than the Rails app, then maybe there's a need for an attacker to get root or at least compromise two users in order to access the configuration. Seems weak as an argument to me. If someone owns your server, they own your server. These files need to be readable for other processes to read them.

I suspect that the larger issue under protection here is you uploading your code to Github/lab and then forgetting and making it public.


Sure, why not. I store all my stuff in secrets.yml but best practice to not commit secrets.yml (or database.yml) to version control.

At the point where they can run code on your servers it’s game over anyway (for example attach gdb to running process and extract the value that way). More relevant are things like

  • source control (as you note)

  • your development machine gets stolen, compromised etc.

Personally I would also consider not having secrets there a protection against myself stops me accidentally running stuff in a development environment that ends up using the production version of some api.