diff --git a/.gitignore b/.gitignore
index c0a7d838..7f2dc3b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -79,4 +79,5 @@ yarn-debug.log*
 .yarn-integrity
 # Ignore sitemaps
 /public/sitemap*.xml.gz
-/public/sitemaps/*.xml.gz
\ No newline at end of file
+/public/sitemaps/*.xml.gz
+/config/credentials/*.key
diff --git a/Dockerfile b/Dockerfile
index 32e94ce4..bf010495 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -19,6 +19,8 @@ RUN chmod +x /usr/bin/entrypoint.sh
 
 WORKDIR /app
 
+RUN gem install activesupport
+
 RUN bundle install
 
 RUN yarn install --ignore-engines
diff --git a/Gemfile b/Gemfile
index 7ca72c66..a0771a81 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,51 +1,64 @@
+require 'active_support'
+require 'active_support/core_ext'
 require 'yaml'
 
 source 'https://rubygems.org'
 
 def font_awesome_token
   return ENV['FONT_AWESOME_TOKEN'] if ENV['FONT_AWESOME_TOKEN'] && ENV['FONT_AWESOME_TOKEN'] != ''
-  YAML.load(File.read("./config/secrets.yml")).dig('shared', 'font_awesome_token') if File.exist?("./config/secrets.yml")
+
+  encrypted_data = File.binread('./config/credentials/development.yml.enc')
+  master_key = File.read('./config/credentials/development.key').strip
+
+  crypt = ActiveSupport::MessageEncryptor.new(
+    [master_key].pack('H*'),
+    cipher: 'aes-128-gcm'
+  )
+
+  decrypted_credentials = crypt.decrypt_and_verify(encrypted_data)
+  credentials = YAML.safe_load(decrypted_credentials)
+  credentials.dig('shared', 'font_awesome_token')
 end
 
 gem 'bigdecimal', '~>3.0'
 # Bundle edge Rails instead: gem 'rails', github: 'rails/rails'
+gem 'font-awesome-sass', '~> 6.4.0'
 gem 'rails', '~> 6.1.0'
-gem 'shakapacker', '7.2.2'
 gem 'sassc'
-gem "font-awesome-sass", "~> 6.4.0"
+gem 'shakapacker', '7.2.2'
 fa_token = font_awesome_token
 if fa_token
   source "https://token:#{fa_token}@dl.fontawesome.com/basic/fontawesome-pro/ruby/" do
-    gem "font-awesome-pro-sass", "~> 6.4.0"
+    gem 'font-awesome-pro-sass', '~> 6.4.0'
   end
 else
   raise 'ERROR: You are missing font_awesome_token in secrets.yml.  It is required for `bundle install` to work.'
 end
-gem 'bootsnap', '~> 1.9.3'
 gem 'actionpack-action_caching'
+gem 'bootsnap', '~> 1.9.3'
 # Hydra stack
-gem 'nokogiri', '~> 1.15.2' # update past 1.10 requires alma
-gem 'blacklight', '~> 7.33.1'
-gem 'view_component', '~>2.82.0'
 gem 'active-fedora', '~> 8.7'
+gem 'blacklight', '~> 7.33.1'
+gem 'nokogiri', '~> 1.15.2' # update past 1.10 requires alma
 gem 'rdf', '>= 1.1.5'
 gem 'rdf-vocab'
+gem 'view_component', '~>2.82.0'
 
 # carrierwave for file uploads
 gem 'carrierwave', '~> 1.3'
-#gem 'rubydora', :path => '../rubydora'
+# gem 'rubydora', :path => '../rubydora'
 gem 'rubydora'
 
-gem 'cul_omniauth', '~> 0.7.0'
 gem 'cancancan'
-#gem 'cul_omniauth', git: 'https://github.com/cul/cul_omniauth', branch: '0.5.x'
+gem 'cul_omniauth', '~> 0.7.0'
+# gem 'cul_omniauth', git: 'https://github.com/cul/cul_omniauth', branch: '0.5.x'
 gem 'active-triples', git: 'https://github.com/cul/ActiveTriples', branch: 'deprecation_update'
 
 # Use wowza token gem for generating tokens
 gem 'wowza-secure_token', '0.0.1'
 
 # Use sqlite3 as the database for Active Record
-gem "sqlite3", "~> 1.4"
+gem 'sqlite3', '~> 1.4'
 
 # Use mysql2 gem for mysql connections
 gem 'mysql2', '~> 0.5.2'
@@ -87,13 +100,13 @@ gem 'addressable', '~> 2.8.0'
 # gem 'debugger', group: [:development, :test]
 
 gem 'devise'
-gem "devise-guests", "~> 0.3"
+gem 'devise-guests', '~> 0.3'
 
 # Gem min versions that are only specified here because of vulnerabilities in earlier versions:
-gem 'rubyzip', '>= 1.2.1'
-gem 'rack-protection', '>= 1.5.5'
-gem 'loofah', '>= 2.2.1'
 gem 'best_type'
+gem 'loofah', '>= 2.2.1'
+gem 'rack-protection', '>= 1.5.5'
+gem 'rubyzip', '>= 1.2.1'
 
 gem 'sitemap_generator'
 
@@ -101,34 +114,34 @@ group :development, :test do
   # Use Capistrano for deployment
   gem 'capistrano', '~> 3.17.3', require: false
   # Rails and Bundler integrations were moved out from Capistrano 3
-  gem 'capistrano-rails', '~> 1.4', require: false
   gem 'capistrano-bundler', '~> 1.1', require: false
+  gem 'capistrano-rails', '~> 1.4', require: false
   # "idiomatic support for your preferred ruby version manager"
   gem 'capistrano-rvm', '~> 0.1', require: false
   # The `deploy:restart` hook for passenger applications is now in a separate gem
   # Just add it to your Gemfile and require it in your Capfile.
   gem 'capistrano-passenger', '~> 0.2', require: false
   # Use net-ssh >= 4.2 to prevent warnings with Ruby 2.4
+  gem 'capybara', '~> 3.32'
   gem 'net-ssh', '>= 4.2'
-  gem 'rspec-rails'
-  gem 'rspec-json_expectations'
   gem 'react_on_rails'
-  gem 'capybara', '~> 3.32'
+  gem 'rspec-json_expectations'
+  gem 'rspec-rails'
   # For testing with chromedriver for headless-browser JavaScript testing
-  gem 'selenium-webdriver', '~> 4.16.0'
   gem 'database_cleaner'
   gem 'factory_bot_rails'
+  gem 'selenium-webdriver', '~> 4.16.0'
   gem 'rubocop', '~> 0.53.0', require: false
-  gem 'rubocop-rspec', '>= 1.20.1', require: false
-  gem 'rubocop-rails_config', require: false
   gem 'listen'
+  gem 'rubocop-rails_config', require: false
+  gem 'rubocop-rspec', '>= 1.20.1', require: false
 end
 
 # Add unicorn as available app server
-#gem 'unicorn'
+# gem 'unicorn'
 
 # Use Thin for local development
-#gem "thin"
+# gem "thin"
 
 # everybody loves rainbows
 gem 'rainbow', '~> 3.0'
@@ -136,4 +149,4 @@ gem 'rainbow', '~> 3.0'
 # Use Puma for local development
 gem 'puma', '~> 5.2'
 
-gem "ox", "~> 2.14"
+gem 'ox', '~> 2.14'
diff --git a/config/credentials/development.yml.enc b/config/credentials/development.yml.enc
new file mode 100644
index 00000000..b44d5db7
--- /dev/null
+++ b/config/credentials/development.yml.enc
@@ -0,0 +1 @@
+kDGK4xn/oPFgPC8i8M2f7vXz4JMQcJ9kIfV74FoJl3r18SEscaenr/ukvigsrllLTuYFGUd4+LqaK0IlurYM7bTuqVwlex1gD4uL8frxvIW3ndsl4/005mDxw+RnoOidvd684gWGczAgm663PQDT5l2SThbAQ+e+WDIO5wD1RCRnpHI8KcoSYDGrOoQF02XjSDtxSIce2BZcU123t1sSntWRzaRJhsSRb4MKB7sc7p7ruJNPFMB3bgoC7B682JCS0zc/tCMAJNiQFThBQetgnTOQef8tFBpo1dCDyo2lniQGs9h3oD7KS8pX0GfvBT1OLauC57bvSuhcRyQO34GwfB8ohcZ3F2+py83Lr6vNXuHCRgNH8yhAHVxLkQwCGKSrJHTpIZKnezvDjmbvHQok68P7YLIN9RdM+Hu8+PGuooIHJTQZSq36hOcf6MSVYQcjAnyfLI3/c1AgZC7moI7qbTCFvwi0/mVN0kWEi2Hiy0yL85HjTMH1vn99IjBBARaFRyZ9SdWehFoxFlJwuneSw5v83PqWRdf5k5ziVq0x6IWY6TVYpbq/i6Cf3IsM--gsv8Dy8iqoJyezVI--knbK6R45DH+40kUwiERIcQ==
\ No newline at end of file
diff --git a/config/deploy.rb b/config/deploy.rb
index e8ba539d..9db79834 100644
--- a/config/deploy.rb
+++ b/config/deploy.rb
@@ -30,7 +30,7 @@
 set :log_level, :info
 
 # Default value for linked_dirs is []
-set :linked_dirs, fetch(:linked_dirs, []).push('log','tmp/pids', 'public/images/sites', 'node_modules', 'public/packs', 'public/sitemaps')
+set :linked_dirs, fetch(:linked_dirs, []).push('log','tmp/pids', 'public/images/sites', 'node_modules', 'public/packs', 'public/sitemaps','config/credentials')
 
 # Default value for keep_releases is 5
 set :keep_releases, 3
@@ -56,6 +56,10 @@
   "public/robots.txt"
 )
 
+Dir.glob('config/credentials/*.yml.enc').each do |file|
+  append :linked_files, file
+end
+
 namespace :deploy do
   desc "Report the environment"
   task :report do
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index bfa7fad5..805e6309 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -4,7 +4,7 @@
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
-  config.secret_key = Rails.application.config_for(:secrets)[:devise_secret_key]
+  config.secret_key = Rails.application.credentials.dig(Rails.env.to_sym, :devise_secret_key)
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 1d43cb6a..1e053261 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -9,7 +9,7 @@
 
 # Make sure your secret_key_base is kept private
 # if you're sharing your code publicly.
-Rails.application.config.secret_key_base = Rails.application.config_for(:secrets)[:secret_key_base]
+Rails.application.config.secret_key_base = Rails.application.credentials.dig(Rails.env.to_sym, :secret_key_base)
 if Blacklight.respond_to? :secret_key
   Blacklight.secret_key = Rails.application.config.secret_key_base
 end
\ No newline at end of file
diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb
index 4553a030..44866db5 100644
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -2,6 +2,6 @@
 
 cookie_opts = ["development", "test"].include?(Rails.env.to_s) ? {} : { same_site: :none, secure: true }
 Rails.application.config.session_store(:cookie_store,
-  key: Rails.application.config.secret_key_base = Rails.application.config_for(:secrets)[:session_store_key],
+  key: Rails.application.config.secret_key_base = Rails.application.credentials.dig(Rails.env.to_sym, :session_store_key),
   **cookie_opts
 )
diff --git a/config/templates/secrets.template.yml.erb b/config/templates/secrets.template.yml.erb
deleted file mode 100644
index 843992f8..00000000
--- a/config/templates/secrets.template.yml.erb
+++ /dev/null
@@ -1,10 +0,0 @@
-shared:
-  font_awesome_token: <%= ENV['FONT_AWESOME_TOKEN'] %>
-development:
-  devise_secret_key: <%= SecureRandom.hex(64) %>
-  secret_key_base: <%= SecureRandom.hex(64) %>
-  session_store_key: _dcv_development_session_key
-test:
-  devise_secret_key: <%= SecureRandom.hex(64) %>
-  secret_key_base: <%= SecureRandom.hex(64) %>
-  session_store_key: _dcv_test_session_key