---
title: Use Secure Secrets Management
impact: CRITICAL
impactDescription: prevents secrets from being leaked through source control or compromised environments
tags: security, secrets, infrastructure
---

## Use Secure Secrets Management

Use specialized secrets management tools (HCP Vault, AWS Secrets Manager, Rails Credentials) instead of plaintext environment variables or local files.

**Incorrect (plaintext file or hardcoded):**

```ruby
# .env file (often accidentally committed)
API_KEY=12345
```

**Correct (Rails Credentials):**

```ruby
# EDITOR=vim rails credentials:edit
# This creates/edits config/credentials.yml.enc (encrypted)
api_key = Rails.application.credentials.api_key
```

**Tools:** Brakeman, git-secrets
---