Handles deploying secrets.yml file with Rails 4.1+
Switch branches/tags
Nothing to show
Clone or download
Failed to load latest commit information.
lib Rollback of the system_user value. Not necessary anymore. Dec 29, 2017
.gitignore Switched upload! to Net::SCP.upload! so we can use new :system_user t… Oct 31, 2017
Gemfile First commit, boilerplate setup Oct 7, 2014
LICENSE.md First commit, boilerplate setup Oct 7, 2014



Capistrano tasks for handling secrets.yml when deploying Rails 4+ apps.


Add this to Gemfile:

group :development do
  gem 'capistrano', '~> 3.10.0'
  gem 'capistrano-secrets-yml', '~> 1.1.0'

And then:

$ bundle install

Setup and usage

  • Make sure your local config/secrets.yml is not git tracked. It should be on the disk, but gitignored.

  • Populate production secrets in local config/secrets.yml:

        secret_key_base: d6ced...
  • Add to Capfile:

      require 'capistrano/secrets_yml'
  • Create secrets.yml file on the remote server by executing this task:

      $ bundle exec cap production setup

You can now proceed with other deployment tasks.

What if a new config is added to secrets file?

  • add it to local config/secrets.yml:

        secret_key_base: d6ced...
        foobar: some_other_secret
  • if you're working in a team where other people have the deploy rights, compare you local secrets.yml with the one on the server. This is to ensure you didn't miss an update.

  • copy to the server:

      $ bundle exec cap production setup
  • notify your colleagues that have the deploy rights that the remote secrets.yml has been updated so they can change their copy.

How it works

When you execute $ bundle exec production setup:

  • secrets from your local secrets.yml are copied to the servers in your config/deploy/{environment}.rb files using the user: value. a.
  • only "stage" secrets are copied: if you are deploying to production, only production secrets are copied there
  • on the server secrets file is located in #{shared_path}/config/secrets.yml

On deployment:

  • secrets file is automatically symlinked to #{current_path}/config/secrets.yml



More Capistrano automation?

Check out capistrano-plugins github org.


  • shouldn't we be keeping configuration in environment variables as per 12 factor app rules?

    On Heroku, yes.
    With Capistrano, those env vars still have to be written somewhere on the disk and used with a tool like dotenv.

    Since we have to keep configuration on the disk anyway, it probably makes sense to use Rails 4 built-in secrets.yml mechanism.