Rakefile in rake_secrets-0.1.0.pre.4 vs Rakefile in rake_secrets-0.1.0.pre.5

@@ -1,17 +1,17 @@
 # frozen_string_literal: true
 
-require 'yaml'
 require 'rake_circle_ci'
 require 'rake_git'
 require 'rake_git_crypt'
 require 'rake_github'
-require 'rake_ssh'
 require 'rake_gpg'
-require 'securerandom'
+require 'rake_ssh'
 require 'rspec/core/rake_task'
 require 'rubocop/rake_task'
+require 'securerandom'
+require 'yaml'
 
 task default: %i[
   library:fix
   test:unit
 ]
@@ -46,14 +46,16 @@
       FileUtils.mkdir_p('config/secrets/ci')
     end
   end
 
   namespace :passphrase do
-    desc 'Generate encryption passphrase used by CI.'
+    desc 'Generate encryption passphrase for CI GPG key'
     task generate: ['directory:ensure'] do
-      File.write('config/secrets/ci/encryption.passphrase',
-                 SecureRandom.base64(36))
+      File.write(
+        'config/secrets/ci/encryption.passphrase',
+        SecureRandom.base64(36)
+      )
     end
   end
 end
 
 namespace :keys do
@@ -74,9 +76,19 @@
     )
   end
 end
 
 namespace :secrets do
+  namespace :directory do
+    desc 'Ensure secrets directory exists and is set up correctly'
+    task :ensure do
+      FileUtils.mkdir_p('config/secrets')
+      unless File.exist?('config/secrets/.unlocked')
+        File.write('config/secrets/.unlocked', 'true')
+      end
+    end
+  end
+
   desc 'Generate all generatable secrets.'
   task generate: %w[
     encryption:passphrase:generate
     keys:deploy:generate
     keys:gpg:generate