Secure credentials with Rails 6
Whenever you’re working with secure credentials (such as a publishable token), you want a secure way to handle them so that they don’t show up in your repository or in any other open form.
In the past, we were able to use environment variables — which we still can use in your local development environment and also set them in production, but newer versions of Rails (6 & 7) provide a much smoother and cleaner way of handling this.
Your rails application comes with two files under the config folder:
credentials.yml.enc file (basically an encrypted credentials.yml file)
master.key file (key file to decrypt the credentials file)
When you open the credentials.yml file, you will see that you won’t be able to read or understand anything because it is encrypted, so it’s important to have the master key file to be able to decrypt. When you push your code to GitHub, the credentials.yml file is pushed but the master key is not. If you look at your gitignore file, you will see that it ignores the /config/master.key file. This way when you do a commit of your code, it doesn’t save the master key in your code.
It is worth noting that if you are working with a multimember team who also need access to the credentials file, you will have to provide the master key file in a different way so that they can also decrypt the credentials yml file. This also means that if you have cloned a repo with an existing credentials file like this or any application that stores its credentials this way, you won’t have access to the master key file (since it won’t be in the repo). You will have to create your own set of credentials and master key file — which will happen when you open the repository in an editor. When you open the project in your editor, these files should generate automatically.
So how do we read the credentials file?
Well, rails provides this command to open the file in the editor of your choice:
rails credentials:edit
When you first run this command, you will get a ‘set editor’ error. This just means that you will have to explicitly state the editor like this:
EDITOR=code rails credentials:edit
(this is the case of vscode, if you are using atom for example, simply put ‘atom’ instead of ‘code’)
You will see that the file will open up in your editor, but automatically close. Also if you look at your terminal, you will see a ‘File encrypted and saved’ message. This is because the editor did not wait for any changes to be made before exiting (note: not all editors are like this, but this is the case with visual studio code). This means that you need to add a ‘wait’ in your command like this:
EDITOR=“code — wait” rails credentials:edit
Check it out, you’ll see that it opens the file and displays all the information. Also in your terminal, you’ll see that it's waiting (it doesn’t say file encrypted and saved automatically like before).
The format of this file is a yml file with key/value pairs. To test usage, let’s uncomment lines 1 and 2 and save the file. You’ll see in your terminal that the file is encrypted and saved. To read the key again, you still won’t be able to just simply open the credentials.yml file in your project (it will still be encrypted). So to read it again, you’ll have to run the above command again to open it in your editor. You’ll see the same key/value pairs pull up. This is how you add and read credentials.
How do you access/reference this from your application?
Keeping the key that we uncommented in mind — in this case we have aws and access_key_id — let’s hop on to the rails console. The command to access the key is:
Rails.application.credentials.aws[:access_key_id]
This command will return the value associated with this key. In your application code, this is how you will access the credentials, eliminating the need to hardcode the actual key in your code.
You can use this process to store all of your publishable API keys.
