Separate secret_key_base in Rails 5.2?

Tallboy picture Tallboy · Apr 11, 2018 · Viewed 12.2k times · Source

I just upgraded from 5.1 to 5.2 and I'm quite confused about this 'better' methodology to storing secrets...

Maybe I'm not understanding, but it seems like now development and production have been 'merged' into a SINGLE SECRET_KEY_BASE as well as master.key... is this correct?

If not, how do I use a separate master key and SECRET_KEY_BASE in development?

What if I have developers helping me and I don't want them to know my master key (or secrets) I use in production?

Answer

tomca32 picture tomca32 · Apr 13, 2018

Rails 5.2 changed this quite a bit. For development and test enivoronments, the secret_key_base is generated automatically, so you can just remove it from secrets.yml or wherever you have it set.

As for production, there is the credentials file which you can generate and edit it by running rails credentials:edit. This will also create the master key in config/master.key which is only used for encrypting and decrypting this file. Add this to gitignore so it's not shared with anyone else, which should take care of sharing it with fellow devs.

If all of this sounds a bit tedious, and it is, you can just ignore it and provide the secret_key_base in ENV. Rails will check if it's present in ENV["SECRET_KEY_BASE"] before it complains.