API Keys: Kamal 2 Offers a Fix, Devs Still Risk It

It’s a mistake that can unravel a project, compromise user data, and cost companies real money. We’re talking about leaked API keys and other secrets, often found lurking in public code repositories or hardcoded directly into applications. For years, this has been a stubborn security vulnerability, and as more teams adopt modern deployment tools, the problem simply shifts, rather than disappears. Zil Norvilis, writing on Dev.to in May 2026, highlighted this persistent issue, specifically within the context of Ruby on Rails applications deployed with Kamal 2.

Kamal, a popular deployment tool, particularly for smaller Rails teams looking for a simpler alternative to Kubernetes, aims to streamline the process. But simplicity can sometimes breed complacency. Norvilis points out that developers, in their haste, often skip proper secret management, leaving critical API keys – the digital keys to their applications' kingdoms – exposed. Think of an API key for a payment gateway or a cloud storage service; if it falls into the wrong hands, the financial and reputational damage can be severe.

Kamal 2's Approach to Secrets

Recognizing this inherent risk, Kamal 2 introduced `kamal env`, a feature specifically designed to secure these sensitive credentials. Before this, teams often relied on environment variables set directly on servers or `.env` files, which, while better than hardcoding, still carried risks. Environment variables could be inadvertently exposed, and `.env` files, if not handled carefully, might find their way into version control. The `kamal env` command allows developers to encrypt secrets, storing them in a `secret.json.enc` file. This encrypted file can be safely committed to Git, as it's useless without the decryption key.

The real magic happens when Kamal deploys the application. It decrypts the `secret.json.enc` file directly on the target server, injecting the secrets into the application's environment at runtime. This means the sensitive plaintext values never live in your source code, nor do they travel unencrypted across networks or sit idly on developer machines where they might be accidentally exposed. It’s a significant step up, providing a relatively low-overhead, yet effective, layer of security for teams using Kamal.

The Human Element: Still the Weakest Link

Despite the tooling, human error remains a formidable challenge. Norvilis observed that even with `kamal env` available, some developers continue to hardcode secrets or, worse, check them into public Git repositories. This isn't unique to Kamal or Rails; it's a systemic problem across the software industry. Remember the numerous incidents where AWS keys, GitHub tokens, or database credentials were found in public GitHub gists or company repositories, leading to large-scale data breaches? It highlights a critical gap in developer education and the enforcement of security best practices.

While Kamal 2 offers a convenient solution for its ecosystem, it's worth noting that more complex secret management solutions exist for larger enterprises or highly regulated environments. Tools like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault offer more granular access control, auditing, and rotation capabilities. For many teams, especially those starting out or with simpler deployment needs, Kamal's integrated approach is a pragmatic choice, balancing security with ease of use. The key is to actually use the tools provided and embed secret management into the development workflow, rather than treating it as an afterthought.

Why it matters

Secure secret management isn't just a technical detail; it's fundamental to building trustworthy software. Leaked API keys can lead to unauthorized data access, financial fraud, service disruptions, and severe reputational damage. For companies, a single breach can result in millions of dollars in fines, legal fees, and lost customer trust. The story here isn't just about a new feature in a deployment tool; it's a microcosm of the ongoing battle against security vulnerabilities. Even with better tools like Kamal 2's `kamal env`, the industry still struggles with the human tendency to prioritize speed over security. As developers, we have a responsibility to understand the risks and adopt the available safeguards. The health of our applications, and indeed, our digital economy, depends on it.