diff --git a/.gitignore b/.gitignore
index c0a7d838..560417a6 100644
--- a/.gitignore
+++ b/.gitignore
@@ -41,6 +41,7 @@ roles.yml
 secrets.yml
 solr_wrapper.yml
 subsites.yml
+font_awesome_token.yml
 # these are obsolete configs
 location_uris.yml
 
@@ -79,4 +80,6 @@ yarn-debug.log*
 .yarn-integrity
 # Ignore sitemaps
 /public/sitemap*.xml.gz
-/public/sitemaps/*.xml.gz
\ No newline at end of file
+/public/sitemaps/*.xml.gz
+
+/config/credentials/*.key
diff --git a/Gemfile b/Gemfile
index 7ca72c66..9bc24bac 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,48 +4,48 @@ source 'https://rubygems.org'
 
 def font_awesome_token
   return ENV['FONT_AWESOME_TOKEN'] if ENV['FONT_AWESOME_TOKEN'] && ENV['FONT_AWESOME_TOKEN'] != ''
-  YAML.load(File.read("./config/secrets.yml")).dig('shared', 'font_awesome_token') if File.exist?("./config/secrets.yml")
+  YAML.load(File.read("./config/font_awesome_token.yml")).dig('shared', 'font_awesome_token') if File.exist?("./config/font_awesome_token.yml")
 end
 
 gem 'bigdecimal', '~>3.0'
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
+gem 'font-awesome-sass', '~> 6.4.0'
 gem 'rails', '~> 6.1.0'
-gem 'shakapacker', '7.2.2'
 gem 'sassc'
-gem "font-awesome-sass", "~> 6.4.0"
+gem 'shakapacker', '7.2.2'
 fa_token = font_awesome_token
 if fa_token
   source "https://token:#{fa_token}@dl.fontawesome.com/basic/fontawesome-pro/ruby/" do
-    gem "font-awesome-pro-sass", "~> 6.4.0"
+    gem 'font-awesome-pro-sass', '~> 6.4.0'
   end
 else
   raise 'ERROR: You are missing font_awesome_token in secrets.yml.  It is required for `bundle install` to work.'
 end
-gem 'bootsnap', '~> 1.9.3'
 gem 'actionpack-action_caching'
+gem 'bootsnap', '~> 1.9.3'
 # Hydra stack
-gem 'nokogiri', '~> 1.15.2' # update past 1.10 requires alma
-gem 'blacklight', '~> 7.33.1'
-gem 'view_component', '~>2.82.0'
 gem 'active-fedora', '~> 8.7'
+gem 'blacklight', '~> 7.33.1'
+gem 'nokogiri', '~> 1.15.2' # update past 1.10 requires alma
 gem 'rdf', '>= 1.1.5'
 gem 'rdf-vocab'
+gem 'view_component', '~>2.82.0'
 
 # carrierwave for file uploads
 gem 'carrierwave', '~> 1.3'
-#gem 'rubydora', :path => '../rubydora'
+# gem 'rubydora', :path => '../rubydora'
 gem 'rubydora'
 
-gem 'cul_omniauth', '~> 0.7.0'
 gem 'cancancan'
-#gem 'cul_omniauth', git: 'https://github.com/cul/cul_omniauth', branch: '0.5.x'
+gem 'cul_omniauth', '~> 0.7.0'
+# gem 'cul_omniauth', git: 'https://github.com/cul/cul_omniauth', branch: '0.5.x'
 gem 'active-triples', git: 'https://github.com/cul/ActiveTriples', branch: 'deprecation_update'
 
 # Use wowza token gem for generating tokens
 gem 'wowza-secure_token', '0.0.1'
 
 # Use sqlite3 as the database for Active Record
-gem "sqlite3", "~> 1.4"
+gem 'sqlite3', '~> 1.4'
 
 # Use mysql2 gem for mysql connections
 gem 'mysql2', '~> 0.5.2'
@@ -87,13 +87,13 @@ gem 'addressable', '~> 2.8.0'
 # gem 'debugger', group: [:development, :test]
 
 gem 'devise'
-gem "devise-guests", "~> 0.3"
+gem 'devise-guests', '~> 0.3'
 
 # Gem min versions that are only specified here because of vulnerabilities in earlier versions:
-gem 'rubyzip', '>= 1.2.1'
-gem 'rack-protection', '>= 1.5.5'
-gem 'loofah', '>= 2.2.1'
 gem 'best_type'
+gem 'loofah', '>= 2.2.1'
+gem 'rack-protection', '>= 1.5.5'
+gem 'rubyzip', '>= 1.2.1'
 
 gem 'sitemap_generator'
 
@@ -101,34 +101,34 @@ group :development, :test do
   # Use Capistrano for deployment
   gem 'capistrano', '~> 3.17.3', require: false
   # Rails and Bundler integrations were moved out from Capistrano 3
-  gem 'capistrano-rails', '~> 1.4', require: false
   gem 'capistrano-bundler', '~> 1.1', require: false
+  gem 'capistrano-rails', '~> 1.4', require: false
   # "idiomatic support for your preferred ruby version manager"
   gem 'capistrano-rvm', '~> 0.1', require: false
   # The `deploy:restart` hook for passenger applications is now in a separate gem
   # Just add it to your Gemfile and require it in your Capfile.
   gem 'capistrano-passenger', '~> 0.2', require: false
   # Use net-ssh >= 4.2 to prevent warnings with Ruby 2.4
+  gem 'capybara', '~> 3.32'
   gem 'net-ssh', '>= 4.2'
-  gem 'rspec-rails'
-  gem 'rspec-json_expectations'
   gem 'react_on_rails'
-  gem 'capybara', '~> 3.32'
+  gem 'rspec-json_expectations'
+  gem 'rspec-rails'
   # For testing with chromedriver for headless-browser JavaScript testing
-  gem 'selenium-webdriver', '~> 4.16.0'
   gem 'database_cleaner'
   gem 'factory_bot_rails'
+  gem 'selenium-webdriver', '~> 4.16.0'
   gem 'rubocop', '~> 0.53.0', require: false
-  gem 'rubocop-rspec', '>= 1.20.1', require: false
-  gem 'rubocop-rails_config', require: false
   gem 'listen'
+  gem 'rubocop-rails_config', require: false
+  gem 'rubocop-rspec', '>= 1.20.1', require: false
 end
 
 # Add unicorn as available app server
-#gem 'unicorn'
+# gem 'unicorn'
 
 # Use Thin for local development
-#gem "thin"
+# gem "thin"
 
 # everybody loves rainbows
 gem 'rainbow', '~> 3.0'
@@ -136,4 +136,4 @@ gem 'rainbow', '~> 3.0'
 # Use Puma for local development
 gem 'puma', '~> 5.2'
 
-gem "ox", "~> 2.14"
+gem 'ox', '~> 2.14'
diff --git a/config/credentials/development.yml.enc b/config/credentials/development.yml.enc
new file mode 100644
index 00000000..4e4e0a46
--- /dev/null
+++ b/config/credentials/development.yml.enc
@@ -0,0 +1 @@
+XQvMwMpidq4aTVJlhQpX7bjIKIluhsK5h1OdH6YcsRUoynsY54xbKE/TH5P/Ccs8lXR0MNTntgd0e1yxlmSz3GTIT7iaA/OIkxgjJXeq4poFAyLGWQS0SJphAHGLw5PAxGgTeyhPp66wScArt4DjZsnTnsat/pMmmVDFgxIevN/YrPPBn3G/XW012rVY7FdnMyQYaUg3XukY5dwCAnq3qwOPR0YatiEIBop0YOAZllIM0+d7W2dF2A+q5VMllUXhLAzkAYbgj5couNm4iBCCaWvRGB6BOReRwz+UX5w2cVqWAzNl8f4xn2WmqvtqLwgcmOz/UmxVWe8JnZywaJz1cEIbptzf4upvz03WOLDWt5+VMmISaMdupGTJxcWmzmmLHSJu1Qoxf5ExxANWXJ+c1IVHollAM1pR87swng1KMQZZxRV/EYDOylVRqk+RdcG0qAnACnWZdd5colr4lRZ7nzvO5zPKxdL07B0=--KjONfPBF7vboCMgZ--YKXug17UkG3IkOhNUokOIQ==
\ No newline at end of file
diff --git a/config/deploy.rb b/config/deploy.rb
index e8ba539d..9db79834 100644
--- a/config/deploy.rb
+++ b/config/deploy.rb
@@ -30,7 +30,7 @@
 set :log_level, :info
 
 # Default value for linked_dirs is []
-set :linked_dirs, fetch(:linked_dirs, []).push('log','tmp/pids', 'public/images/sites', 'node_modules', 'public/packs', 'public/sitemaps')
+set :linked_dirs, fetch(:linked_dirs, []).push('log','tmp/pids', 'public/images/sites', 'node_modules', 'public/packs', 'public/sitemaps','config/credentials')
 
 # Default value for keep_releases is 5
 set :keep_releases, 3
@@ -56,6 +56,10 @@
   "public/robots.txt"
 )
 
+Dir.glob('config/credentials/*.yml.enc').each do |file|
+  append :linked_files, file
+end
+
 namespace :deploy do
   desc "Report the environment"
   task :report do
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index bfa7fad5..805e6309 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -4,7 +4,7 @@
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
-  config.secret_key = Rails.application.config_for(:secrets)[:devise_secret_key]
+  config.secret_key = Rails.application.credentials.dig(Rails.env.to_sym, :devise_secret_key)
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 1d43cb6a..1e053261 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -9,7 +9,7 @@
 
 # Make sure your secret_key_base is kept private
 # if you're sharing your code publicly.
-Rails.application.config.secret_key_base = Rails.application.config_for(:secrets)[:secret_key_base]
+Rails.application.config.secret_key_base = Rails.application.credentials.dig(Rails.env.to_sym, :secret_key_base)
 if Blacklight.respond_to? :secret_key
   Blacklight.secret_key = Rails.application.config.secret_key_base
 end
\ No newline at end of file
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 4553a030..44866db5 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -2,6 +2,6 @@
 
 cookie_opts = ["development", "test"].include?(Rails.env.to_s) ? {} : { same_site: :none, secure: true }
 Rails.application.config.session_store(:cookie_store,
-  key: Rails.application.config.secret_key_base = Rails.application.config_for(:secrets)[:session_store_key],
+  key: Rails.application.config.secret_key_base = Rails.application.credentials.dig(Rails.env.to_sym, :session_store_key),
   **cookie_opts
 )
diff --git a/config/templates/secrets.template.yml.erb b/config/templates/secrets.template.yml.erb
deleted file mode 100644
index 843992f8..00000000
--- a/config/templates/secrets.template.yml.erb
+++ /dev/null
@@ -1,10 +0,0 @@
-shared:
-  font_awesome_token: <%= ENV['FONT_AWESOME_TOKEN'] %>
-development:
-  devise_secret_key: <%= SecureRandom.hex(64) %>
-  secret_key_base: <%= SecureRandom.hex(64) %>
-  session_store_key: _dcv_development_session_key
-test:
-  devise_secret_key: <%= SecureRandom.hex(64) %>
-  secret_key_base: <%= SecureRandom.hex(64) %>
-  session_store_key: _dcv_test_session_key