You're best bet would be to upgrade to Rails 5.1.X if possible and use the encrypted secrets. It will at least get the code base up to a point where swapping out the encrypted secrets for credentials an easier task.
I'd say it would depend on how you're deploying to the production environment.
Basically, you can use your `secrets.yml` file to store all of the keys and values. Within each of the values, reference an environment variable. So, within the file, you may have something like this:
```
production:
database_password:
```
At least, in this way, you're not storing sensitive information in the codebase. From here, you can set your Environment Variables how you see fit. On a production deployment, it could be through ansible/chef/capistrano that is setting the ENV Vars or something similar.
In this situation, the developers must have access to the master key which would expose production secrets to more people than necessary. This of course depends on the layout of the R&D team. If it is a solo developer working on a personal project then the exposure is obviously limited. However, in a larger setting, often the developers will not have access nor the secrets to the production environment.