Rails 5.2 rolls out Credentials for encrypted secrets

Rails 5.2 introduced Rails Credentials, a new way to securely store secrets and application credentials using an encrypted YAML file.

Why credentials?

Before Rails 5.2, secrets were stored in secrets.yml, sometimes unencrypted. This posed a risk when sharing codebases. The new credentials approach improves security and developer experience.

Setting it up

To edit credentials:

1bin/rails credentials:edit

This opens a YAML file that is encrypted using a master key stored in config/master.key or ENV['RAILS_MASTER_KEY'].

Example credentials.yml.enc

1aws:
2  access_key_id: 123
3  secret_access_key: abc

You can access them via:

1Rails.application.credentials.dig(:aws, :access_key_id)

Links

• PR #30067 - Adds credentials using a generic EncryptedConfiguration class
• PR #30940 - Adds support for managing custom encrypted files from cli
• Rails documentation for custom credentials

Summary

Rails Credentials consolidate secret management into a single encrypted source, ensuring sensitive data like API keys are secure and easy to access in any environment.