Where to store sensitive data in public rails app?

Question

My personal rails project uses a few API\'s for which I store the API keys/secrets in config/environments/production.yml and development.yml as global variables. I now want

Answer 1

Use environment variables.

In Ruby, they're accessible like so:

ENV['S3_SECRET']

Two reasons:

1. The values will not make it into source control.
2. "sensitive data" aka passwords tend to change on a per-environment basis anyways. e.g. you should be using different S3 credentials for development vs production.

Is this a best practice?
Yes: http://12factor.net/config

How do I use them locally?
foreman and dotenv are both easy. Or, edit your shell.

How do I use them in production?
Largely, it depends. But for Rails, dotenv is an easy win.

What about platform-as-a-service?
Any PaaS should give you a way to set them. Heroku for example: https://devcenter.heroku.com/articles/config-vars

Doesn't this make it more complicated to set up a new developer for the project?
Perhaps, but it's worth it. You can always check a .env.sample file into source control with some example data in it. Add a note about it to your project's readme.