How to store credentials in Rails 7

Steven     30.12.2021

Rails has a very easy way to store all kinds of credentials., based on the use of two files:

  • credentials.yml.enc: this file contains all data that you want to keep with your code, yet prevent public access. It can only be decrypted with the master key. You can safely commit the *.enc file to your code respository (e.g. git).
  • master.key: this file contains the encryption hash used to encrypt / decrypt the credentials.yml file. Never share this file!

Example credentials to be stored in credentials.yml.enc

  • secret_key_base
  • email & password
  • database credentials
  • file storage (e.g. aws) credentials

With this approach, there is no need to work with environment variables.

Example credentials.yml

Example credentials.yml file. Note: the file is always encrypted before storage, you can verify this by looking at the file extension credentials.yml.enc

### config/credentials.yml

# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
secret_key_base: <your-secret-hash>

# used for e.g. ActionMailer email delivery
  user: <email-adress>
  password: <email-pass>

# database access in production environment
    database: <production-database-name>
    username: <database-user>
    password: <database-pass>
    host: <database-host>

# ActiveStorage file storing in the cloud
    access_key_id: <aws-key-id>
    secret_access_key: <aws-secret-key>

Opening and closing credentials.yml

Open the credentails file from within your application folder user.

$ rails credentials:edit

With this command, rails takes the master.key, decrypts credentials.yml.enc and opens it in the editor. As soon as you close the file, rails encrypts again (adding the *.enc extension).

In case you’re on Windows, you can set the editor of choice using:

# regular command prompt
> SET EDITOR="C:/Program Files (x86)/Notepad++/notepad++.exe"
> rails credentials:edit

# Windows powershell
> $env:EDITOR="notepad"
> rails credentials:edit

Accessing and using credentials data in Rails

Access the credentials using Rails.application.credentials.dig() command:

### config/storage.yml

  service: S3
  access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
  secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
  region: <your-region-here>
  bucket: <bucket-name>
### config/environments/production.rb

config.action_mailer.smtp_settings = {
  address:              '<email-server>',
  port:                 '<port>',
  domain:               '<your-domain>',
  user_name:            Rails.application.credentials.dig(:email, :user),
  password:             Rails.application.credentials.dig(:email, :password),
  authentication:       :plain,
  tls:                  true,
  enable_starttls_auto: true



Easy way to configure Nginx and Passenger to run a Rails app in Ubuntu

This article details how to setup Nginx and Passenger to run a Rails app in production environment on a Ubuntu machine. It uses Ubuntu 20.04 LTS, Nginx 1.18 and Phusion Passenger 6.0.12.