diff --git a/.env.example b/.env.example
index 0a8c05d..eea8055 100644
--- a/.env.example
+++ b/.env.example
@@ -1,8 +1,6 @@
 RAILS_ENV=production
-SECRET_KEY_BASE=
 IMAP_SERVER=
 DEFAULT_FROM=
-DEVISE_PEPPER=
 SKEL_SUTTY=https://0xacab.org/sutty/skel.sutty.nl
 SUTTY=sutty.nl
 REDIS_SERVER=
diff --git a/.gitignore b/.gitignore
index 5cf7616..b89536c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -27,3 +27,7 @@
 /data/*
 
 .env
+
+# Ignore master key for decrypting credentials and more.
+/config/master.key
+/config/credentials.yml.enc
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index e3dce7c..fe8d487 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -127,7 +127,7 @@ Devise.setup do |config|
   config.stretches = Rails.env.test? ? 1 : 11
 
   # Set up a pepper to generate the hashed password.
-  config.pepper = ENV['DEVISE_PEPPER']
+  config.pepper = Rails.application.credentials.devise_pepper
 
   # Send a notification to the original email when the user's email is
   # changed.
diff --git a/config/secrets.yml b/config/secrets.yml
deleted file mode 100644
index aead418..0000000
--- a/config/secrets.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-# Be sure to restart your server when you modify this file.
-
-# Your secret key is used for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-# You can use `rails secret` to generate a secure secret key.
-
-# Make sure the secrets in this file are kept private
-# if you're sharing your code publicly.
-
-# Shared secrets are available across all environments.
-
-# shared:
-#   api_key: a1B2c3D4e5F6
-
-# Environmental secrets are only available for that specific environment.
-
-development:
-  secret_key_base: 18809d32b6661e906759535c3de06955d0eb551a83de5639f1ca4f0375bafd9653b818c4b881942e5cd5cc8da265617c9164fdb63b9f491d4481036c3d23e677
-
-test:
-  secret_key_base: 95f26bd27ca88acb1f0d8d207fa5e60ae7dc56463774990c4acb938110af035690c929f844eaa97cc9a06b67f44631663f40c927b19c706dcccf629143550a2f
-
-# Do not keep production secrets in the unencrypted secrets file.
-# Instead, either read values from the environment.
-# Or, use `bin/rails secrets:setup` to configure encrypted secrets
-# and move the `production:` environment over there.
-
-production:
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>