Ruby
Rails
secrets.yml

How to set up the secret key in the production environment in Rails 5.1

This article is a translation from https://qiita.com/kawasaki/items/dcaf5716c3fd5e2fe69f


Digest version to set up the secret key in the production environment in Rails 5.1

  1. $ rails secrets:setup -> copy the long secret key in the first line and set it as an environment variable RAILS_MASTER_KEY when executing rails
  2. $ rails secret -> you will get the longer key; copy it
  3. $ EDITOR=vim rails secrets:edit write the following and save it from vim
production:
  secret_key_base: paste the longer second key here

Errors in the production environment when I run 'rails server'

I've developped my application happily in the development environment. But it's high time I prepared for the production environment, and I tried

$ rails server --environment production

and got
An unhandled lowlevel error occurred. The application logs may have details.

Oh, no...
Next, I tried
$ rails secrets:setup

which was introduced in Rails 5.1. But the error still remained. Going down in to the rails library, I got the point where I was wrong.

Anyway, you'll get the following output wehn you run rails secrets:setup

Adding config/secrets.yml.key to store the encryption key: a1e98ed29c40d7453a06bebeb815c0f3
Save this in a password manager your team can access.
If you lose the key, no one, including you, can access any encrypted secrets.
      create  config/secrets.yml.key
Adding config/secrets.yml.enc to store secrets that needs to be encrypted.
      create  config/secrets.yml.enc
For now the file contains this but it's been encrypted with the generated key:
# See `secrets.yml` for tips on generating suitable keys.
# production:
#  external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289…
You can edit encrypted secrets with `bin/rails secrets:edit`.
Add this to your config/environments/production.rb:
config.read_encrypted_secrets = true

The encryption key "a1e98ed29c40d7453a06bebeb815c0f3" in the first line is the most important key to protect the whole application and you must keep it secret. The key is automatically written down to config/secrets.yml.key.
Never commit it to your git repository, NEVER!
But usually you'll not commit it because the file config/secrets.yml.key is automatically added to .gitignore, so that the file is not to be committed.

For rails execution, you need either to import config/secrets.yml.key from somewhere or to set the secret key in the environment variable RAILS_MASTER_KEY.

Actually, this in only the half of the necessary settings because what you did is to make a key to lock config/secrets.yml.enc, you treasure box. You still need to store your treasure.
This file, secrets.yml.enc is an encrypted yml file using your key. It looks like as follows.

secrets.yml.enc
PWuauKAmdO3Cv2cVx+qqY8cxH3gF/xwRooeoccT8zjd/RypgQOtxPMGx9Coq1eXrw+1wEubcvs6RreKnWlJ
+rrSH1LJjti8dWvveQxvhVlliF/dHJl0nTKBFoq/VTlk6OZhsejga0TJqXygKrCDOeLZXFRoGfsxKsRRByl
/9gmeVpqmy0TJDVWOS0jSK+g==--dEPT19vek1oKHNWd--8OKW3ZEmKMFEpAc7/8X5oQ=

To edit this file (if you use vim),
$ EDITOR=vim rails secrets:edit

The file looks like as follows.

# See `secrets.yml` for tips on generating suitable keys.
# production:
#  external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289…

Everything is commented out and nothing is specified above. You have to specify secret_key_base beneath production which is a secret key used for Cookie encryption. It is recommended to generate the secret key by using "rails secret".

$ rails secret
d7755ec06a476332ec0c5083e6a824eb60552704f136383d9...

Then, save it in your config/secrets.yml.enc by doing

$ EDITOR=vim rails secrets:edit
production:
  secret_key_base: d7755ec06a476332ec0c5083e6a824eb60552704f136383d9...

Now, you have no error regarding the secret key in Rails.

By the way, you can store any kind of secret information here including database passwords. e.g.

production:
  secret_key_base: d7755ec06a476332ec0c5083e6a824eb60552704f136383d9...
  postgresql_password: c0c5083e6a824eb6

You can use the encrypted database password from your code by
Rails.application.secrets.postgresql_password
e.g. in config/database.yml.

config/database.yml
...
production:
  adapter: postgresql
  username: appname
  password: <%= Rails.application.secrets.postgresql_password %>
...