> Because knowledge of the secret_key_base allows an attacker to read and manipulate an application’s cookies, checking the value in was never a good idea.

So FYI, "read and manipulate an applications cookies" is strictly the same as "run arbitrary ruby code in your Rails application process". I would upgrade "never a good idea" to "completely and catastrophically exposes your application to remote code execution" in this paragraph.

Figaro was pretty cool last I checked. Though we've been using foreman [1] for setting the env variables in the .env file, since foreman also helps manage additional processes in development like mailcatcher, mongo, redis, elasticsearch, and any other dependent processes that your don't leave running all the time in your machine. And it has a command to export your env to Heroku or upstart. I don't remember how much of this Figaro does, just thought I'd throw foreman out there as another solution to keep in mind.

[1] https://github.com/ddollar/foreman

Is Figaro even usable without Heroku? From what I understand the commands it offers are tailor-made for Heroku, and the main problem mentioned (secrets.yml not being Heroku-friendly) seems like specifically a Heroku problem. IMO I'd use Figaro for Heroku, and YML files for a VPS.

I've used Figaro for a few projects and I've found myself very happy with it. It does one thing well without adding unnecessary complexity or overhead to my app. I feel that figaro-like capability in Rails is a win for the community and for figaro/laserlemon as well.

haven't read the link yet, but i love that a wedding emoji was used in the title!

is the secrets.yml file not checked in to source control ?