diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 5db0e22ed1022899b7f239219dfb1f4d5be95421..e90f2a7317c2e032a9137c2f240c88e6bc391d2d 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -616,6 +616,9 @@ production: &base
     enabled: false
     prevent_ldap_sign_in: false
 
+    # File location to read encrypted secrets from
+    # secret_file: /mnt/gitlab/ldap.yaml.enc # Default: shared/encrypted_settings/ldap.yaml.enc
+
     # This setting controls the number of seconds between LDAP permission checks
     # for each user. After this time has expired for a given user, their next
     # interaction with GitLab (a click in the web UI, a git pull, etc.) will be
diff --git a/lib/gitlab/encrypted_ldap_command.rb b/lib/gitlab/encrypted_ldap_command.rb
index e86aa3bf0d6bfb5eeac3c22f01f091b586df4203..682edbf1758f5adc72ea1276e89714457b245e3b 100644
--- a/lib/gitlab/encrypted_ldap_command.rb
+++ b/lib/gitlab/encrypted_ldap_command.rb
@@ -13,8 +13,6 @@ def write(contents)
         puts "File encrypted and saved."
       rescue Interrupt
         puts "Aborted changing file: nothing saved."
-      rescue Gitlab::EncryptedConfiguration::MissingKeyError
-        puts "Missing encryption key enc_settings_key_base."
       rescue ActiveSupport::MessageEncryptor::InvalidMessage
         puts "Couldn't decrypt #{encrypted.content_path}. Perhaps you passed the wrong key?"
       end
@@ -24,7 +22,7 @@ def edit
         return unless validate_config(encrypted)
 
         editor = ENV['EDITOR'] || 'editor'
-        temp_file = Tempfile.new(File.basename(encrypted.content_path))
+        temp_file = Tempfile.new(File.basename(encrypted.content_path), File.dirname(encrypted.content_path))
 
         encrypted.change do |contents|
           contents = encrypted_file_template unless File.exist?(encrypted.content_path)
@@ -36,8 +34,6 @@ def edit
         puts "File encrypted and saved."
       rescue Interrupt
         puts "Aborted changing file: nothing saved."
-      rescue Gitlab::EncryptedConfiguration::MissingKeyError
-        puts "Missing encryption key enc_settings_key_base."
       rescue ActiveSupport::MessageEncryptor::InvalidMessage
         puts "Couldn't decrypt #{encrypted.content_path}. Perhaps you passed the wrong key?"
       ensure
@@ -46,10 +42,9 @@ def edit
 
       def show
         encrypted = Gitlab::Auth::Ldap::Config.encrypted_secrets
+        return unless validate_config(encrypted)
 
         puts encrypted.read.presence || "File '#{encrypted.content_path}' does not exist. Use `rake gitlab:ldap:secret:edit` to change that."
-      rescue Gitlab::EncryptedConfiguration::MissingKeyError
-        puts "Missing encryption key enc_settings_key_base."
       rescue ActiveSupport::MessageEncryptor::InvalidMessage
         puts "Couldn't decrypt #{encrypted.content_path}. Perhaps you passed the wrong key?"
       end
@@ -64,6 +59,11 @@ def validate_config(encrypted)
           return false
         end
 
+        if encrypted.key.nil?
+          puts "Missing encryption key enc_settings_key_base."
+          return false
+        end
+
         true
       end
 
diff --git a/spec/tasks/gitlab/ldap_rake_spec.rb b/spec/tasks/gitlab/ldap_rake_spec.rb
index f0647c498b6ffbc208db645c8413fb3f8cb6a6c8..636260e8dab185ad07f99bb6fbbd4d4a5c45c943 100644
--- a/spec/tasks/gitlab/ldap_rake_spec.rb
+++ b/spec/tasks/gitlab/ldap_rake_spec.rb
@@ -27,7 +27,7 @@
   end
 
   after do
-    FileUtils.rm_rf('tmp/tests/ldapenc/')
+    FileUtils.rm_rf(Rails.root.join('tmp/tests/ldapenc'))
   end
 
   describe ':show' do
@@ -74,7 +74,7 @@
     end
 
     it 'displays error when write directory does not exist' do
-      FileUtils.rm_rf('tmp/tests/ldapenc/')
+      FileUtils.rm_rf(Rails.root.join('tmp/tests/ldapenc'))
       expect { run_rake_task('gitlab:ldap:secret:edit') }.to output(/Directory .* does not exist./).to_stdout
     end
   end