Please any idea how to understand rails credentials?
-
what is the master key?
-
what is the previous design for secret and what has changed in design in rails 6.
Thank you
Please any idea how to understand rails credentials?
what is the master key?
what is the previous design for secret and what has changed in design in rails 6.
Thank you
Have you checked the guides - Securing Rails Applications — Ruby on Rails Guides
To see what was changed look at the release notes. I remember reading the answers there a few years ago, but I don’t see the same content now. But you could check - Upgrading Ruby on Rails — Ruby on Rails Guides
This is probably more than you wanted to know. Sorry.
The main differences between credentials (Rails 6) and secrets (Rails 5) are
There are two parts to understanding Rails 6 credentials. The files and the file content.
For any environment there are two files: the key file
and the credentials file
.
The files created for the development environment will be
config/credentials/development.key
config/credentials/development.yml.enc
The key file contains the private key used to encrypt the credentials file. In some systems the key may come from an environment variable. This file must be kept private.
The credentials file contains various credentials in yml format. This is the content which you are protecting.
Your credentials could be your Rails secret_key_base
, your AWS access_key_id
and secret_access_key
, and the apikeys or tokens for any other services you are using.
You are not limited to those things. I, for instance, include the variables which are used in config/database.yml
, which simplifies that file.
The command
rails credentials:edit --environment=<development|test|production>
creates the files(if necessary) and/or opens an editor for the credentials in `config/credentials’ for the environment specified. This allows you to use different credentials for each environment. When you close/save the editor the file is encrypted and saved.
Note Set the environment variable EDITOR to specify your command-line editor of choice. Put it into a startup file (.bashrc
, .zshrc
, whatever
) so you never have to do that again.
The content of a credentials file is a YAML dictionary linking keys (names) to data. There are many tutorials on yaml around, also yaml checkers and yaml<->json converters.
Assuming these are the decrypted contents of config/credentials/development.yml.enc
:
(Note: none of these are values I use)
secret_key_base: 00000000000011111111111122222222222233333333333
database:
username: frednurk
password: apasswordforfred
dbname: fredsoftheworld
Anywhere in our application, initializers or configuration we can use Rails.application.credentials
to access values in the credentials file. Here is a config/database.yml
;
default: &default
adapter: postgresql
host: localhost
username: <%= Rails.application.credentials.dig(:database, :username)%>
password: <%= Rails.application.credentials.dig(:database, :password)%>
database: <%= Rails.application.credentials.dig(:database, :dbname)%>
development:
<<: *default
test:
<<: *default
production:
<<: *default
adaptor: mysql2