How to deal with merge conflicts in rails ENCRYPTED credential files

Question

With rails 6 (or 5.2) encrypted credentials, I am running into difficulty managing and resolving merge conflicts in the credentials.yml.enc file. As is outlined in the documentation, the intention is that encrypted credentials can be added to source control (https://guides.rubyonrails.org/security.html#custom-credentials)

E.g. branch_a adds credentials for service a and gets merged to master branch_b adds credentials for service b and when rebasing, the conflict in the credentials.yml.enc file looks something like this:

<<<<<<< HEAD
sahdkajshdkajhsdkjahsdkjahsdkajhsdkjahsdkjahdskjahsdjkahsdencryptedstring-a09dpjmcas==
=======
laskdjalksjdlakjsdlaksjdlakjsdlaksjdlakjsdlajsdlkajsdlkjasdljalsdajsdencryptedstringrere=
>>>>>>> branch_b

I can view the unencrypted credentials.yml.enc on each branch and resolve conflicts quite manually but is there a better way to go about managing credentials generally in order to avoid these credential conflicts.

Answer 1

I don't believe there is a better way, no.

Because of the nature of the encryption, there is no way to resolve it in it's encrypted state. If that was possible it would imply that you can somehow know the values and keys of the file in the encrypted state.

When you do your merge, you should resolve any conflicts in the source file, and then rerun the command that generates the encrypted file, then complete your merge.

Answer 2

It is possible. From the rails credentials usage:

=== Set up Git to Diff Credentials

Rails provides `rails credentials:diff --enroll` to instruct Git to call `rails credentials:diff`
when `git diff` is run on a credentials file.

Running the command enrolls the project such that all credentials files use the
"rails_credentials" diff driver in .gitattributes.

Additionally since Git requires the driver itself to be set up in a config file
that isn't tracked Rails automatically ensures it's configured when running
`credentials:edit`.

Otherwise each co-worker would have to run enable manually, including on each new
repo clone.

Answer 3

If you don't have rails credentials:diff...

It is possible to merge them, but you will have to decrypt them.

When dealing with merge conflicts, you can run git mergetool and it should generate 4 files:

config/credentials.yml_BACKUP_84723.enc
config/credentials.yml_LOCAL_84723.enc
config/credentials.yml_BASE_84723.enc
config/credentials.yml_LOCAL_84723.enc

You may need to run git mergetool in one terminal window, and in another, run this script: Note that this will expose your credentials on the local machine.

# Temporarily move credentials file to another location
mv config/credentials.yml.enc ~/Desktop/credentials_temp.yml.enc

# Copy local file to original location
cp config/credentials.yml_LOCAL_* config/credentials.yml.enc

# Decrypt and send decrypted credentials to desktop
rails credentials:show > ~/Desktop/credentials_local.yaml

# Delete the copied local file
rm config/credentials.yml.enc

# Copy remote file to original location
cp config/credentials.yml_REMOTE_* config/credentials.yml.enc

# Decrypt and send decrypted credentials to desktop
rails credentials:show > ~/Desktop/credentials_remote.yaml

# Delete the copied remote file
rm config/credentials.yml.enc

# Move credentials file back
mv ~/Desktop/credentials_temp.yml.enc config/credentials.yml.enc

# See diffs or open both
diff ~/Desktop/credentials_local.yaml ~/Desktop/credentials_remote.yaml

# Delete the decrypted files
rm ~/Desktop/credentials_local.yaml ~/Desktop/credentials_remote.yaml

Local is on the left. Remote is on the right. Enjoy.

Answer 4

Generally it is recommended to ignore credentials in version control i.e. .gitignore and configure them via environment variable.