47

Rails 5.2 introduces the encrypted secrets feature through the usage of the awesome credentials.yml. But I'm struggling to get it to work with Heroku.

Is there any Strategy available right now to deploy a Rails 5.2 App to Heroku?

Bergrebell
  • 4,263
  • 4
  • 40
  • 53

2 Answers2

75

You should set the environment variable RAILS_MASTER_KEY, either on your heroku web dashboard, or using console:

$ heroku config:set RAILS_MASTER_KEY=<your-master-key>

Example:

$ heroku config:set RAILS_MASTER_KEY=123456789

(The < and > are placeholders)

Rails will detect this variable and use it as your master key (instead of looking for it in master.key file).

BenKoshy
  • 33,477
  • 14
  • 111
  • 80
Gerry
  • 10,337
  • 3
  • 31
  • 40
  • 1
    @Gerry Rails used to have `rails secret` to generate a new secret key. Is there a way to generate a new master key? – Tallboy Apr 11 '18 at 17:47
  • 1
    @Tallboy Yes, you can run `bundle exec rails runner "puts ActiveSupport::EncryptedConfiguration.generate_key"`. Just consider that you won't be able to decrypt any file encrypted with a previous key. – Gerry Apr 11 '18 at 17:53
  • Am I supposed to use the same `master.key` I have locally as I do in production then? What if I don't want local developers being able to encrypt my production secrets? – Tallboy Apr 11 '18 at 17:58
  • @Tallboy Generally yes, you will use same _master.key_ in production. If you would like to keep sensitive data private, you could set environment variables in the server, instead of putting them directly on your credentials file. – Gerry Apr 11 '18 at 18:55
  • @Obromios _config/master.key_ is created when you create your app (i.e. `$ rails new myapp`) or, if you are upgrading from other rails version, when you edit your credentials file with `$ EDITOR=vim rails credentials:edit`. There is no automatic way of changing your _master.key_, you must do it manually (e.g.1. `$ cd config` 2. `$ rails credentials:show > credentials.tmp`, 3. `$ mv credentials.yml.enc ../tmp/ && mv master.key ../tmp/`, 4. `$ cat credentials.tmp | pbcopy` 5. `$ EDITOR=vim rails credentials:edit` and replace all with content copied in step 4. 6. remove tmp files). – Gerry Aug 02 '18 at 23:42
  • @Obromios With Linux use `xclip` instead of `pbcopy` in step 4. – Gerry Aug 02 '18 at 23:44
  • thank you! Should I surround my master key with the `<` and `>` symbols? – BenKoshy Sep 07 '18 at 12:10
  • 1
    @BKSpurgeon No, i used those only as placeholders. – Gerry Sep 07 '18 at 15:02
23

You could also use the following command to create Heroku RAILS_MASTER_KEY with the contents of your local config/master.key:

heroku config:set RAILS_MASTER_KEY="$(< config/master.key)"

Note: make sure you are in the directory that contains your Rails app.

Paulo Belo
  • 3,759
  • 1
  • 22
  • 20
  • 1
    if the key is kept alongside the encrypted file in the git repo then there's no purpose to using the encryption mechanism. if someone gets access to your source control, they get your keys – Jason FB Apr 20 '20 at 15:33
  • @JasonFB you are right. That's why you should use Environmental Variables, and configure them like in the example above. You can check details here: https://devcenter.heroku.com/articles/heroku-cli-commands#heroku-config-set – Paulo Belo Apr 20 '20 at 20:07