Rails 5.2 Encrypted credentials for production environment

Question

I have created the new Rails app with the version of 5.2. Rails 5.2 introduced the encryption feature for the secrets.

I have configured the secret key in devise.rb file

config.secret_key = Rails.application.credentials[Rails.env.to_sym][:secret_key_base]

and also added the secret_key's for all environments using

EDITOR=vim rails credentials:edit

development:
 secret_key_base: absdss

test:
 secret_key_base: 123232

production:
 secret_key_base: 123456

after the saving the credentials i can able to get the secret_key's in the rails console in local

Output in rails console:

Running via Spring preloader in process 44308
Loading development environment (Rails 5.2.0)
2.5.1 :001 > Rails.application.credentials.development[:secret_key_base]
=>     "absdss"

The credentials are not working on production server, we are using CI/CD in gitlab for deployment stages, when i run the

rails db:create db:migrate

i am getting the following error

> rails db:create db:migrate

 ---> Running in 1563453ddf2a

rails aborted!

NoMethodError: undefined method `[]' for nil:NilClass

/usr/src/app/config/initializers/devise.rb:12:in `block in <main>'

/usr/local/bundle/gems/devise-4.4.3/lib/devise.rb:307:in `setup'

/usr/src/app/config/initializers/devise.rb:5:in `<main>'

/usr/local/bundle/gems/bootsnap-1.3.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:50:in `load'

Now the question is how to set the RAILS_MASTER_KEY to production server?

praaveen V R · Answer 1 · 2018-06-27T16:25:01.090

6

Im sharing few points which may help you

Encrypted credentials offer a few advantages over plaintext credentials or environment variables

Rails 5.1 introduced encrypted secrets

config/secrets.yml.key
config/secrets.yml.enc

Rails 5.2 replaces both secrets with encrypted credentials

config/credentials.yml.enc
config/master.key

config/master.key file is created while creating a rails project

Encryption key(master.key) is git ignored

In production

config/environments/production.rb

config.require_master_key = true

Can’t decrypt your credentials without the key

Managing the Key

a. scp or sftp the file

b. If you need to give a developer a copy of the key then You can use a password manager because they use encryption.

c. I used last pass for managing the master key file

The key used to encrypt credentials is different from the secret key base.

The key on master.key is used to encrypt and decrypt all credentials. It does not replace the secret key base.

The secret key base is required by Rails. If you want to generate a new secret key base run,

bin/rails secret

and add that to your credentials by running bin/rails credentials:edit.

edited Jun 27 '18 at 16:25

answered Jun 27 '18 at 15:59

praaveen V R

1,259
1
11
20

for more info you can check this https://medium.com/@praaveen/part-1-rails5-2-credentials-encrypted-credentials-662c6e375fdb blog – praaveen V R Jun 27 '18 at 16:23
I have configured "$RAILS_MASTER_KEY" > config/master.key. It ended up in the ArgumentError: key must be 16 bytes error - – Aravind Jun 28 '18 at 05:41
Hi @Praveen, when you say "Scp or sftp the file " in the section on Managing your Key - how would you typically do this? I have tried using Filezilla, but the `master.key` isn't visible on my local machine (due to its file extension I expect) and I also don't have permission to access the target folder on the server `/app_name/shared/config`. I've seen mention of doing this using a rake task, but wondered if there was a simpler way? – Texas Oct 11 '18 at 07:58
The addtional information is super helpful. Thank you! – Chris.Zou Dec 11 '19 at 07:29

score 4 · Answer 2 · answered Jun 27 '18 at 08:42

4

You can put your master key as MASTER_KEY secret variable in Gitlab CI/CD Settings and then put

echo "$MASTER_KEY" > config/master.key

in before_script section of your .gitlab-ci.yml file.

answered Jun 27 '18 at 08:42

Marek Lipka

50,622
7
87
91

Thanks for the immediate response @Marek Lipka. After adding the master.key now i getting the `ArgumentError: key must be 16 bytes` – Aravind Jun 27 '18 at 08:57
I have configured `"$RAILS_MASTER_KEY" > config/master.key`. It ended up in the `ArgumentError: key must be 16 bytes` error – Aravind Jun 28 '18 at 02:15
Are you sure you set `RAILS_MASTER_KEY` env variable in your CI environment? – Marek Lipka Jul 11 '18 at 06:46
@Aravi Your RAILS_MASTER_KEY value needs to be exactly 32 bytes. See https://github.com/rails/rails/issues/33528#issuecomment-412677795 – oskarpearson Aug 13 '18 at 21:56

score 0 · Answer 3 · answered Dec 22 '20 at 20:00

0

Rails.application.credentials.development&.dig(:secret_key_base)

try this instead.

answered Dec 22 '20 at 20:00

Ashish Sharma

1

Rails 5.2 Encrypted credentials for production environment

3 Answers3