Ruby on Rails 6 securing app secrets

This post will walk you through the 4 steps to implement secrets in a Rails 6+ app.

· 2 min read
Ruby on Rails 6 securing app secrets
Assumption : Rails v6+, Nova editor || Sublime v3+ editor

Even the most mundane of Rails application will have some secrets, secrets that are used to configure APIs and or encryption.  The problem is, how to manage these secrets without having to use third party gems or hacks.

This post will walk you through the 4 steps to implement secrets in a Rails 6+ app.

Step 1 : Configure Editor

The goal of this step is to configure your editor such that it can be launched from the terminal.  Personally I use Nova and Sublime, so I'll include instructions for these two editors.


Assuming you have Nova installed into the Applications Folder.  The good news is that Nova auto configures itself with a symlink of nova.  Another great reason for investing in this editor.  Nothing to do - move along.

Sublime 3

Assuming you have Sublime 3 installed into the Applications Folder.  The following command will create a symlink sublime that will launch the editor.

ln -s "/Applications/Sublime" /usr/local/bin/sublime

Step 2 : Secure master.key

/config/master.key contains the encryption key used to encrypt and decrypt /config/credentials.yml.enc.  It is critical that you ensure this file is listed in your app .gitignore file.  

Edit .gitignore make sure that it contains /config/master.key

Assumption : Github

Double check, take a look in your github repo.  You do not want to see the file master.key in your repo.

Step 3 : How to edit credentials.yml.enc

/config/credentials.yml.enc is an encrypted file where you can securely store configurations like API keys and passwords, bacsically your app secrets.

The following shell command will edit the credentials.yml.enc file using your favoured text editor.

Nova : EDITOR="nova --wait" bin/rails credentials:edit

Sublime : EDITOR="sublime --wait" bin/rails credentials:edit

NOTE : The file is only saved when you either quit the editor - or - you press ENTER in your terminal window.

Press [Return] when finished editing...

Step 4 : Example secrets

	api_key: 99d6ff613389ab444e83830fe1d1499-09001d55-61db8474

Notice the mailgun values, how you can "namespace" values.

Here is an example of how you use these secret values.


config.action_mailer.mailgun_settings = {
    api_key: Rails.application.credentials.mailgun[:api_key],
    domain: Rails.application.credentials.mailgun[:domain],
    api_host: Rails.application.credentials.mailgun[:api_host]


Related Articles

HTML form with localised dates
· 2 min read
Ruby on Rails + Postgres + UUID keys
· 1 min read