Before Rails 5.1, secrets management was a hassle.
sekrets were being used
manage secrets in Rails applications.
Rails 5.1 released secrets management feature based on sekrets gem.
This article will explain how to manage application secrets with Rails 5.1 applications.
The problem with application secrets, is that they can not be added to VCS (Version control system). If added it exposes vulnerability of the secrets.
Before Rails 5.1
Developers used gems like dotenv-rails and sekrets to manage application secrets with Rails application.
dotenv-rails added support
have dotfiles like
.env (in yml format) in the project.
Key values defined in the
were loaded into
To have separate env files per environment,
.env.staging were created.
These files were gitignored.
This way, these files were not added to VCS and the purpose of having
secrets as secrets was solved.
.env was kept on the production servers
pushed to production servers through any of the deployment tools.
Sekrets gem encrypts a file and encrypted file can be checked in VCS. The encryption key is not checked in VCS. Encryption key is made available on the staging / production servers.
Once the code is deployed, the encryption key is used
decrypt the encrypted file and load it in
Rails 5.1 uses logic / workflow defined by
for the secrets management that we will see next.
After Rails 5.1
Rails 5.1 added a feature to allow application secrets management.
To setup secrets with Rails 5.1 application, run the following command.
Running the command will do following things.
- Generates an encryption key to encrypt application secrets.
secrets.yml.keyfile with encryption key in
configdirectory of the Rails application.
.gitignorefile, so that it does not get checked in VCS.
secrets.yml.encfile where encrypted secrets will be added and can be checked in.
To edit secrets in Rails 5.1+ application, run the following command.
It needs an editor to be set for the editing of secrets. If editor is not set, it asks to set an editor as given below.
Using VIM for editing secrets,
This will decrypt
secrets.yml.enc and open up for editing.
Update the file and save it.
Reading the encrypted secrets
Rails application by default will not read the encrypted secrets
Rails has added a new configuration flag to override this setting.
The above flag is set to
true in production environement by default.
These secrets are available to access in Rails application as given below.
- Application secrets can be encrypted and checked in VCS from Rails 5.1+ application.
- Secrets can be edited using the encryption key which is not checked in VCS.
- Secret key should be checked in
RAILS_MASTER_KEYenvironment variable or make
secrets.yml.keyavailable in the application through deployment.