Stop Leaking API Keys: Managing Secrets in Kamal 2

Short summary

Kamal 2 overhauls secrets management for Rails deployments, preventing accidental API key commits to GitHub. The tool lets you specify which environment variables are secrets in deploy.yml, then fetches their actual values from a password manager CLI at deployment time, keeping keys off your hard drive. This setup eliminates the risk of leaked .env files and takes about 10 minutes to configure.

• •Kamal 2 distinguishes between public and secret environment variables in deploy.yml configuration
• •Secrets are fetched from password manager CLIs (1Password, Bitwarden) at deployment time, never stored locally on disk
• •This pattern prevents accidental commits to GitHub and protects against compromised laptop scenarios

Generated with AI, which can make mistakes.