DEV Community

Cover image for The power of Rails master.key
Raynaldo Sutisna
Raynaldo Sutisna

Posted on

The power of Rails master.key


Have you ever thought about where is the best place to put your JWT secret key, API Key, or any secret data in your project?

The answer to this question is inside the .config/credentials.yml.enc file.

alt text

Yes, this file is encrypted, so that's why we can push .config/credentials.yml.enc file to the git repository.

Editing credentials.yml.enc

Run this code in the terminal

#VS Code
EDITOR="code --wait" rails credentials:edit

EDITOR="atom --wait" rails credentials:edit
Enter fullscreen mode Exit fullscreen mode

Your IDE will open a new document that looks like this
alt text

According to,

By default, the credentials file contains the application's secret_key_base. It can also be used to store other secrets such as access keys for external APIs.

We can put our other secrets, such as the JWT secret key and API key in here.

   secret_key: hello

api: api-key

# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.
secret_key_base: ca8bae95decfb752601c30aff9bbe5e7f22587341f8b132765f2fb92ddab9d52d0ebf07b9ef840acce5aeeed9ed513c8329bb8cafdd1de06494a0d69c5466ee7
Enter fullscreen mode Exit fullscreen mode

Don't forget to close the file and it will automatically save. The terminal will show this message.

alt text

Using the credentials

We can call it in .rb file using this code

Rails.application.credentials.jwt[:secret_key] # hello
Rails.application.credentials.api # api-key
Enter fullscreen mode Exit fullscreen mode

For testing purposes, you can run it in the rails console
alt text

Deploying the master.key to Heroku

master.key is needed everywhere, and we should make sure that our team members also get this master.key file. When we want to deploy to the server, we should put what is inside the master.key to the environment variable.

According to,

Rails uses config/master.key or alternatively looks for the environment variable ENV["RAILS_MASTER_KEY"] to encrypt the credentials file.

Run this in the terminal

heroku config:set RAILS_MASTER_KEY=`cat config/master.key`
Enter fullscreen mode Exit fullscreen mode

If Heroku send this error
alt text
, you should include your Heroku app name like this

heroku config:set RAILS_MASTER_KEY=`cat config/master.key` --app 'heroku app name'
Enter fullscreen mode Exit fullscreen mode

Check this post to learn how to deploy your rails project.

Keep your master.key safe!

You can't lost and change your master.key, or your credentials can't be opened.

alt text

However, you can create your new .config/credentials.yml.enc and .config/master.key again by running this command in your terminal.

rails credentials:edit
Enter fullscreen mode Exit fullscreen mode


I was so happy after I found this way to save my credentials. This is really helpful for keep safe your credentials. I hope this blog will be helpful, and please leave your comments if you have any questions!

Top comments (1)

kevinluo201 profile image
Kevin Luo

yes, it's so convenient!