[Ruby] Production environment and credentials.yml.enc

2 minute read

What I want to convey in this article

Before dealing with confidential information in the production environment with credentials, please check. Just copy and paste absolutely.

Basic knowledge about encryption and decryption

~Development environment~ When ```$ rails new

is done, credentials.yml.enc seems to be created with config/master.key.


Then use this master.key to encrypt and decrypt.
(Keep the master.key in a safe place)

To edit the secret information, execute the following command.

$ rails credentials:edit #master.key is created when it doesn’t exist



**-Production environment-**
You also need the secret_key_base for encryption and decryption.
Create it by executing the ```$ rails secret
#### **` command locally.`**

Make sure that the local master.key is also placed on the server in advance.

Be careful in a production environment

I wrote earlier that master.key is used for encryption and decryption of credentials.yml.enc. Since this master.key is registered in gitignore by default, it is not managed by Git.

From here is important. Even if you clone the git repository with EC2, this master.key does not come to the server. If you forget about that and try to add the secret information of the production environment, if you execute the ```$ rails credentials:edit

command... because master.key does not exist on the server, it will be newly generated. ..



At this point, the local master.key and the server's master.key are different and you cannot decrypt the credentials.yml.enc. It's tough.

Couldn’t decrypt config/credentials.yml.enc. Perhaps you passed the wrong key?

Such an error,

ActiveSupport::MessageEncryptor::InvalidMessage


I get this error:

## I want to decrypt my credentials again
Just put your local master.key on the server.


If you lost master.key, delete config/credentials.yml.enc and then run the following command
It seems to create a new one.
However, please note that all the contents of the credentials will be blown away.

$ sudo EDITOR=vim rails credentials:edit


# Rails 6 or later and credentilas.yml.enc
From 6 onwards, it is possible to separate confidential information for each environment. (Holiday)

When you want to add information in the production environment, execute the following command.
Change the environment and beyond according to the environment.

$ rails credentials:edit –environment production ```

This command creates config/credentials/production.yml.enc and config/credentials/production.key. The environment corresponding to the file name and the key name are described. Only production.key should be given to the server.

Even in this case, be careful about handling master.key and secret_key_base.

reference

ActiveSupport::MessageEncryptor::InvalidMessage in Rails 5.2

Kihon of credentials.yml.enc added from Rails 5.2

Manage passwords etc. with new features of Rails 5.2 credentials

[Ruby/Rails] Automate deployment with Capistrano

Add support for multi environment credentials.

Use multi environment credentials entered from Rails 6