** Check carefully ** before handling confidential information in your production environment with credentials. Absolutely no copy.
~Development environment~
$config when rails new/master.credentials with key.yml.enc seems to be created.
Then use this master.key to encrypt and decrypt.
(Keep the master.key in a safe place)
Execute the following command to edit the confidential information.
$ rails credentials:edit #master.If the key does not exist, execute it to create a new one.
** ~ Production environment ~ **
You will also need secret_key_base for encryption and decryption.
Create it locally by running the ``` $ rails secret``` command.
Place the local master.key on the server in advance.
# Be careful in the production environment
I mentioned earlier that master.key is used to encrypt and decrypt credentials.yml.enc. This master.key is registered in gitignore by default, so it is not managed by Git.
It is important from here.
Of course, even if I clone the git repository with EC2, this master.key does not come to the server.
If I forget about that and execute the `` `$ rails credentials: edit``` command to add the secret information of the production environment ... Since there is no master.key on the server, it will be newly generated. ..
At this point, the local master.key and the server master.key are different and credentials.yml.enc cannot be decrypted. Oh, it's hard.
Couldn't decrypt config/credentials.yml.enc. Perhaps you passed the wrong key?
Such an error,
ActiveSupport::MessageEncryptor::InvalidMessage
I get this error.
## I want to decrypt the credentials again
All you have to do is put the local master.key on the server.
If you lose master.key, delete config / credentials.yml.enc and then use the following command
It seems to generate a new one.
However, please note that all the contents of credentials will be blown away.
$ sudo EDITOR=vim rails credentials:edit
# Rails 6 or later and credentilas.yml.enc
From 6 onwards, confidential information can be separated for each environment. (Celebration)
When you want to add information in the production environment, execute the following command.
Change after environment according to the environment.
$ rails credentials:edit --environment production
This command creates config / credentials / production.yml.enc and config / credentials / production.key. The corresponding environment is described in the file name and key name respectively.
You only need to give production.key to the server.
Even in this case, be careful when handling master.key and secret_key_base.
# reference
[ActiveSupport :: MessageEncryptor :: InvalidMessage in Rails 5.2](https://qiita.com/scivola/items/cc06ddbfd94d3118f693)
[Credentials.yml.enc Kihon added from Rails 5.2](https://qiita.com/NaokiIshimura/items/2a179f2ab910992c4d39)
[Manage passwords with new features of Rails 5.2 such as credentials](https://thr3a.hatenablog.com/entry/20180408/1523156956)
[[Ruby / Rails] Automate deployment work with Capistrano](https://shikiyura.stars.ne.jp/blog/mac/ruby_rails-automate-deployment-by-capistrano/)
[Add support for multi environment credentials.](https://github.com/rails/rails/pull/33521)
[Use multi environment credentials from Rails 6](http://saku.hatenadiary.com/entry/2019/11/05/093755)
Recommended Posts