How to understand rails 6 credentials?

Please any idea how to understand rails credentials?

  1. what is the master key?

  2. what is the previous design for secret and what has changed in design in rails 6.

Thank you

Have you checked the guides - Securing Rails Applications — Ruby on Rails Guides

To see what was changed look at the release notes. I remember reading the answers there a few years ago, but I don’t see the same content now. But you could check - Upgrading Ruby on Rails — Ruby on Rails Guides

This is probably more than you wanted to know. Sorry.

The main differences between credentials (Rails 6) and secrets (Rails 5) are

  • The name (perhaps credentials sounds more professional than secrets)
  • Storing credentials for different environments in different files.

There are two parts to understanding Rails 6 credentials. The files and the file content.

The Files

For any environment there are two files: the key file and the credentials file. The files created for the development environment will be


The key file contains the private key used to encrypt the credentials file. In some systems the key may come from an environment variable. This file must be kept private.

  • Don’t put it in your repository
  • Transfer it to a remote server manually (or securely, I guess). For example, in Heroku you can set it as an environment variable using the UI or the CLI.

The credentials file contains various credentials in yml format. This is the content which you are protecting.

Your credentials could be your Rails secret_key_base, your AWS access_key_id and secret_access_key , and the apikeys or tokens for any other services you are using.

You are not limited to those things. I, for instance, include the variables which are used in config/database.yml, which simplifies that file.

Editing Credentials

The command

rails credentials:edit --environment=<development|test|production>

creates the files(if necessary) and/or opens an editor for the credentials in `config/credentials’ for the environment specified. This allows you to use different credentials for each environment. When you close/save the editor the file is encrypted and saved.

Note Set the environment variable EDITOR to specify your command-line editor of choice. Put it into a startup file (.bashrc, .zshrc, whatever) so you never have to do that again.

File Content

The content of a credentials file is a YAML dictionary linking keys (names) to data. There are many tutorials on yaml around, also yaml checkers and yaml<->json converters.

Accessing credentials from Rails

Assuming these are the decrypted contents of config/credentials/development.yml.enc : (Note: none of these are values I use)

secret_key_base: 00000000000011111111111122222222222233333333333

  username: frednurk
  password: apasswordforfred
  dbname: fredsoftheworld

Anywhere in our application, initializers or configuration we can use Rails.application.credentials to access values in the credentials file. Here is a config/database.yml;

default: &default
  adapter: postgresql
  host: localhost
  username: <%= Rails.application.credentials.dig(:database, :username)%>
  password: <%= Rails.application.credentials.dig(:database, :password)%>
  database: <%= Rails.application.credentials.dig(:database, :dbname)%>

  <<: *default

  <<: *default

  <<: *default
  adaptor: mysql2