In our current NDR-model deployment approach, credentials.yml.enc (and other YAML files using the Rails Encrypted mechanisms) are preloaded onto servers out-of-band from deployments, and symlinked into releases. If they need to be updated, there are a number of hoops to jump through due to read-only filesystems.
Ideally, capistrano would be able to be configured to search the key store repository for matching file(s), and deploy them to the server; both as part of a standard deployment, as well as via a standalone task (e.g. for key rotations).
In our current NDR-model deployment approach,
credentials.yml.enc(and other YAML files using the RailsEncryptedmechanisms) are preloaded onto servers out-of-band from deployments, and symlinked into releases. If they need to be updated, there are a number of hoops to jump through due to read-only filesystems.Ideally, capistrano would be able to be configured to search the key store repository for matching file(s), and deploy them to the server; both as part of a standard deployment, as well as via a standalone task (e.g. for key rotations).