Rails Secure Credentials

Rails Secure Credentials

Apr 8, 2022 8:17 AM
Ruby on Rails

In the older version of rails 5.2, we place all our credentials inside config/secrets.yml. But later rails 5.2 and upcoming versions replaced the current config/secrets.yml with config/secrets.yml.enc


Before Using Rails Credentials

  1. Add a key inside config/credentials/production.key before using rails credentials
  2. We can use more files based on the environment


  3. Save the key that you added inside the file config/credentials/production.key somewhere else.

This is the key used to encrypt the credentials, so if we miss this key then we can’t decrypt our file to edit or use the credentials inside our config/credentials/production.yml.enc


Adding credentials

  1. As credentials are encrypted and saved in the file config/credentials/production.yml.enc so to add your credentials inside this we should run this command in the terminal $ EDITOR="nano" rails credentials:edit
  2. To add credentials using other editors you can simply change the name

    $ EDITOR="subl --wait" rails credentials:edit

  3. If you’re using different credentials based on the environment you should pass the environment name when we running the command
  4.  $ EDITOR="subl --wait" rails credentials:edit --environment production
     $ EDITOR="subl --wait" rails credentials:edit --environment staging
     $ EDITOR="subl --wait" rails credentials:edit --environment development
  5. Add your credentials inside the file
  6. Example,

    	access_key_id: 123
    	secret_access_key: 345
    secret_key_base: 84fd6106329678ce7c098f66b7770463f7de50658339f221f8a662d64557295e7b6977c32cba10a00a573868799d9adb04f6e783acc31ef56704161572d9ee3b

    When you save the file and exit your editor, you should be prompted in the terminal with the following message:

    File encrypted and saved.


Using Credentials

  1. The key-value pair we added to the credentials file is available for us to use in our application through the Rails.application.credentials object.
  2. To check if our addition has been encrypted properly, let’s open up the rails console and try to access (decrypt) the value.
  3.  $ rails c
     Loading development environment (Rails 5.2.0.rc1)
     [1] pry(main)> Rails.application.credentials.aws[:access_key_id]
     => 123
  4. We can call rails credentials inside the project in various ways eg.
  5.  Rails.application.credentials.aws[:access_key_id]
     Rails.application.credentials.dig(:aws, :access_key_id)

Adding The Master Key On Cloud66

We can add our master key to Cloud66 as an environment variable.

  1. Click on Configuration on the right side of the cloud66 dashboard.
  2. Under the Environment Variables tab, you can find + Add new variable click on this to add your custom environment variables
  3. Enter your master key name and its value. Example,
    Value = f322f4eab45b202e2123e160eeffser1
  5. Place this master key inside your config/credentials/production.yml file to encrypt and decrypt credentials.

Note: The file will decrypt and open automatically at the time when we run the command EDITOR="subl --wait" rails credentials:edit --environment production to editing if the key presented inside the file config/credentials/production.yml was the correct one which is used before the generation of config/credentials/production.yml.enc.