How to store credentials in Rails 7

Steven     30.12.2021

Rails has a very easy way to store all kinds of credentials., based on the use of two files:

  • credentials.yml.enc: this file contains all data that you want to keep with your code, yet prevent public access. It can only be decrypted with the master key. You can safely commit the *.enc file to your code respository (e.g. git).
  • master.key: this file contains the encryption hash used to encrypt / decrypt the credentials.yml file. Never share this file!

Example credentials to be stored in credentials.yml.enc

  • secret_key_base
  • email & password
  • database credentials
  • file storage (e.g. aws) credentials

With this approach, there is no need to work with environment variables.

Example credentials.yml

Example credentials.yml file. Note: the file is always encrypted before storage, you can verify this by looking at the file extension credentials.yml.enc

### config/credentials.yml

# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
secret_key_base: <your-secret-hash>

# used for e.g. ActionMailer email delivery
email:
  user: <email-adress>
  password: <email-pass>

# database access in production environment
production:
  database:
    database: <production-database-name>
    username: <database-user>
    password: <database-pass>
    host: <database-host>

# ActiveStorage file storing in the cloud
aws: 
    access_key_id: <aws-key-id>
    secret_access_key: <aws-secret-key>

Opening and closing credentials.yml

Open the credentails file from within your application folder user.

$ rails credentials:edit

With this command, rails takes the master.key, decrypts credentials.yml.enc and opens it in the editor. As soon as you close the file, rails encrypts again (adding the *.enc extension).

In case you’re on Windows, you can set the editor of choice using:

# regular command prompt
> SET EDITOR="C:/Program Files (x86)/Notepad++/notepad++.exe"
> rails credentials:edit

# Windows powershell
> $env:EDITOR="notepad"
> rails credentials:edit

Accessing and using credentials data in Rails

Access the credentials using Rails.application.credentials.dig() command:

### config/storage.yml

amazon:
  service: S3
  access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
  secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
  region: <your-region-here>
  bucket: <bucket-name>
### config/environments/production.rb

config.action_mailer.smtp_settings = {
  address:              '<email-server>',
  port:                 '<port>',
  domain:               '<your-domain>',
  user_name:            Rails.application.credentials.dig(:email, :user),
  password:             Rails.application.credentials.dig(:email, :password),
  authentication:       :plain,
  tls:                  true,
  enable_starttls_auto: true
}

Comment

Related

Easy way to configure Nginx and Passenger to run a Rails app in Ubuntu

This article details how to setup Nginx and Passenger to run a Rails app in production environment on a Ubuntu machine. It uses Ubuntu 20.04 LTS, Nginx 1.18 and Phusion Passenger 6.0.12.