How to use secrets.yml for API_KEYS in Rails 4.1?

First rule: DO NOT CHECK-IN secrets.yml into the repo.

All right, here's how a secret.yml would look:

development:  secret_key_base: 6a1ada9d8e377c8fad5e530d6e0a1daa3d17e43ee...   # Paste output of $ rake secret here for your dev machine.test:  secret_key_base: _your_secret_ as aboveproduction:  secret_key_base: <%= secure_token %>  STRIPE_PUBLISHABLE_KEY: 'Put your stripe keys for production'  STRIPE_SECRET_KEY: 'Put actual keys for production here'  FB_APP_SECRET: 'same as above'  FB_CALLBACK_URL: 'FB url here'  FB_CALLBACK_UPDATE_URL: 'FB url here'  GOOGLE_KEY: 'Put your keys for production'  GOOGLE_SECRET: 'same as above'  TWITTER_KEY: 'same as above'  TWITTER_SECRET: 'same as above'  TWITTER_USERNAME: 'same as above'  LINKEDIN_KEY: 'same as above'  LINKEDIN_SECRET: 'same as above'

Note the secure_token up there in the production: block. On production server I'm using an initializer to dynamically generate secret_tokens on-the-fly.

sidenote: be careful about spaces and tabs inside the .yml file. It must be properly formatted and spaced (such as having a space after the ':' symbol).

To set it up on production you could then scp the file directly from your local or use the capistrano-secrets-yml gem.

This will not work. See an updated method as per @OddityOverseer's answer below.

To access the environment variables in your app environments/production.rb use:

FB_APP_SECRET            = ENV['FB_APP_SECRET']FB_CALLBACK_URL          = ENV['FB_CALLBACK_URL']FB_CALLBACK_UPDATE_URL   = ENV['FB_CALLBACK_UPDATE_URL']GOOGLE_KEY               = ENV['GOOGLE_KEY']GOOGLE_SECRET            = ENV['GOOGLE_SECRET']TWITTER_KEY              = ENV['TWITTER_KEY']TWITTER_SECRET           = ENV['TWITTER_SECRET']TWITTER_USERNAME         = ENV['TWITTER_USERNAME']LINKEDIN_KEY             = ENV['LINKEDIN_KEY']LINKEDIN_SECRET          = ENV['LINKEDIN_SECRET']

UPDATED August-2016:

To access the environment variables in your app environments/production.rb use:

FB_APP_SECRET            = Rails.application.secrets.FB_APP_SECRETFB_CALLBACK_URL          = Rails.application.secrets.FB_CALLBACK_URLFB_CALLBACK_UPDATE_URL   = Rails.application.secrets.FB_CALLBACK_UPDATE_URLGOOGLE_KEY               = Rails.application.secrets.GOOGLE_KEYGOOGLE_SECRET            = Rails.application.secrets.GOOGLE_SECRETTWITTER_KEY              = Rails.application.secrets.TWITTER_KEYTWITTER_SECRET           = Rails.application.secrets.TWITTER_SECRETTWITTER_USERNAME         = Rails.application.secrets.TWITTER_USERNAMELINKEDIN_KEY             = Rails.application.secrets.LINKEDIN_KEYLINKEDIN_SECRET          = Rails.application.secrets.LINKEDIN_SECRET

That's about it.

Rails.application.secrets.key_name

One way to do it is to store those secret keys in environment variables. How to set an environment variable is different depending on what operating system you're on. For a linux machine, usually you're editing a .bashrc or .bash_profile file in your home directory and adding a line that looks like:

export API_KEYS=apikeygoeshere

You'll have to edit the file for whatever user will run rails.

Then in production.rb, you can refer to those environment variables as:

ENV["API_KEYS"]

Another option is to use a ruby gem that essentially takes care of that for you, like figaro. The way it works is that you create another file that you don't check in and figaro takes care of setting them up as environment variables, which you can then refer to in your development.rb/production.rb scripts using the ENV["API_KEYS"] above. Because you aren't checking in the file that has all of the environment variables, you'll have to find some way to get that file onto whatever machines are running the code.