The Awesome Framework - Commutatus’ definition of awesome
The Awesome Framework - Commutatus’ definition of awesome
Rails Secure Credentials
🚆

Rails Secure Credentials

Created
Apr 8, 2022 8:17 AM
Department
Engineering
Category
Security
Technology
Ruby on Rails
Tags
Date
URL

In the older version of rails 5.2, we place all our credentials inside config/secrets.yml. But later rails 5.2 and upcoming versions replaced the current config/secrets.yml with config/secrets.yml.enc

Before Using Rails Credentials

  1. Add a key inside config/credentials/production.key before using rails credentials

    2. We can use more files based on the environment

    Examples

     config/credentials/production.key
 config/credentials/staging.key
 config/credentials/development.key
  2. Save the key that you added inside the file config/credentials/production.key somewhere else.

This is the key used to encrypt the credentials, so if we miss this key then we can’t decrypt our file to edit or use the credentials inside our config/credentials/production.yml.enc

Adding credentials

  1. As credentials are encrypted and saved in the file config/credentials/production.yml.enc so to add your credentials inside this we should run this command in the terminal $ EDITOR="nano" rails credentials:edit

    2. To add credentials using other editors you can simply change the name

    $ EDITOR="subl --wait" rails credentials:edit

  2. If you’re using different credentials based on the environment you should pass the environment name when we running the command
    3.  $ EDITOR="subl --wait" rails credentials:edit --environment production
 $ EDITOR="subl --wait" rails credentials:edit --environment staging
 $ EDITOR="subl --wait" rails credentials:edit --environment development
  3. Add your credentials inside the file

    4. Example,

    aws:
	access_key_id: 123
	secret_access_key: 345

secret_key_base: 84fd6106329678ce7c098f66b7770463f7de50658339f221f8a662d64557295e7b6977c32cba10a00a573868799d9adb04f6e783acc31ef56704161572d9ee3b

    When you save the file and exit your editor, you should be prompted in the terminal with the following message:

    File encrypted and saved.

Using Credentials

  1. The key-value pair we added to the credentials file is available for us to use in our application through the Rails.application.credentials object.
  2. To check if our addition has been encrypted properly, let’s open up the rails console and try to access (decrypt) the value.
    3.  $ rails c
 Loading development environment (Rails 5.2.0.rc1)
 [1] pry(main)> Rails.application.credentials.aws[:access_key_id]
 => 123
  3. We can call rails credentials inside the project in various ways eg.
    4.  Rails.application.credentials.aws[:access_key_id]
 Rails.application.credentials.dig(:aws, :access_key_id)
 Rails.application.credentials.dig(:secret_key_base)

Adding The Master Key On Cloud66

We can add our master key to Cloud66 as an environment variable.

  1. Click on Configuration on the right side of the cloud66 dashboard.
  2. Under the Environment Variables tab, you can find + Add new variable click on this to add your custom environment variables
  3. Enter your master key name and its value. Example,
    4. Key = RAILS_MASTER_KEY
Value = f322f4eab45b202e2123e160eeffser1
  4. Place this master key inside your config/credentials/production.yml file to encrypt and decrypt credentials.

Note: The file will decrypt and open automatically at the time when we run the command EDITOR="subl --wait" rails credentials:edit --environment production to editing if the key presented inside the file config/credentials/production.yml was the correct one which is used before the generation of config/credentials/production.yml.enc.