Generally in applications there are various secrets and credentials, that we need to make use of like API keys, secrets, etc. For such secrets we need the ability to conveniently and securely manage credentials.
Rails 5.1 added
secrets to manage credentials.
Rails 5.2 replaced
since encrypted and un-encrypted secrets
were making it harder to manage them.
A set of files were used to manage these credentials:
config/credentials.yml.enc is an encrypted file which store the credentials.
As this is a encrypted file, we can safely commit it to our version control systems.
RAILS_MASTER_KEY which is
used to decrypt the
We should not commit this file to version control.
Interacting with credentials
config/credentials.yml.enc is encrypted
we should never directly read from or write to it.
Instead, we will use utilities provided by Rails
which abstract encryption and decryption process for us.
How to add/update credentials?
We can edit the
credentials by running the following command:
This will open a vim editor with the decrypted version of the credentials file.
We can add new credentials in YAML format.
Lets add the following lines,
save the changes,
When we save it, it encrypts again using the same master key.
If default editor is not set and we haven’t specified the editor, then we get the following message:
How to read credentials?
We can now access the credentials in the following way:
Managing multi environment credentials before Rails 6
There was no built in support for multiple environment credentials before Rails 6. We could manage credentials for different environments but it was upto us to explicitly specify which set of credentials to use for a specific environment.
We could store the credentials in a single file as below:
Then, config can be accessed using the following command:
There are some problems with this approach:
- There is just 1 master key and everyone on the development team had access to it. Which means everyone on the development team had access to production environment.
- We needed to explicitly specify which environment credentials to use in the code.
Another way to manage environment specific credentials
was by creating environment specific files.
For example, we can create
config/staging.yml.enc for staging environment
config/production.yml.enc for production environment.
To read config from these files, Rails 5.2 provided
encrypted method to support for managing multiple
This approach involved writing even more boiler plate code to manage the keys and the encrypted files for every environment.
In Rails 6
Now, Rails 6 has added support for multi environment credentials.
It provides utility to easily create and use environment specific credentials. Each of these have their own encryption keys.
The changes added in the above PR are backwards compatible. If environment specific credentials are not present then rails will use the global credentials and master key which are represented by following files:
We use the global configuration only
We share the
config/master.key with our entire team.
Create credentials for production environment
To create credentials for
we can run the following command:
The above command does the following:
config/credentials/production.keyif missing. Don’t commit this file to VCS.
config/credentials/production.yml.encif missing. Commit this file to VCS.
- Decrypts and opens the production credentials file in the default editor.
We share the
production.key with limited members of our team
who have access for production deployment.
Let’s add following credentials and save:
Similarly we can create credentials for different environment like
Using the credentials in Rails
For any environment Rails automatically detects which set of credential to use. Environment specific credentials will take precedence over global credentials. If environment specific credentials are present, they will be used else Rails will default to global credentials.
Storing encryption key in environment variables
We can also set the value of the encryption key in specific environment variable Rails will auto detect and use it.
We can either use the generic environment variable
an environment specific environment variable like
If these variable are set then we don’t need to create the
Rails will auto detect these variables and use them to encrypt/decrypt the credential files.
The environment variable can be used for example on
Heroku or similar platforms.