Create fresh Rails 5 credentials on clone - ruby-on-rails

Problem
I am creating a rails 5.2 template. I've created a new project which is a fork of the template. I don't want to use the same config/master.key since this would be shared across X other projects. Is there a way to generate a new key & config/credentials.yml.enc pair? That way I could include a config/credentials.yml.enc.sample and they run rails credentials:new or something then copy the contents over?
Can't find anything in the documentation or google/so searches about this and my alternative is to use the same key across all my public projects :,(

as described here: https://blog.eq8.eu/til/rails-52-credentials-tricks.html
Regenerate key
Currently there is no “edit password” feature, you need copy original content of the credentials, remove the enc files and regenerate fresh credentials file (source)
step 1 copy content of original credentials rails credentials:show
step 2 move your config/credentials.yml.enc and config/master.key away (mv config/credentials.yml.enc ./tmp/ && mv config/master.key ./tmp/)
step 3 run EDITOR=vim rails credentials:edit
step 4 paste copied values from original credentials
step 5 save and commit config/credentials.yml.enc
note! EDITOR=vim rails credentials:edit may not work if you require credential value in some file (e.g. in config/database.yml)

https://github.com/rails/rails/blob/master/railties/lib/rails/commands/credentials/USAGE
For applications created prior to Rails 5.2, we'll automatically
generate a new credentials file in config/credentials.yml.enc the
first time you run bin/rails credentials:edit. If you didn't have a
master key saved in config/master.key, that'll be created too.
So I can create a plain text version of the encrypted file to show which keys are required:
foo_api_key: 123
They run bin/rails credentials:edit which generates the key and encrypted file then they copy the keys over to add them to the encrypted file.

Using #Myk Klemme's answer at https://stackoverflow.com/a/48373368/936494 I was able to successfully re-generate credential files config/credentials.yml.enc, config/master.key.
For that I first removed the existing config/credentials.yml.enc file I got from cloned template-repo and then ran following command
rails_new_app$ EDITOR="mate --wait" bin/rails credentials:edit
which generated following output:
Adding config/master.key to store the encryption key: <encryption_key>
Save this in a password manager your team can access.
If you lose the key, no one, including you, can access anything encrypted with it.
create config/master.key
File encrypted and saved.

Related

Couldn't decrypt config/credentials.yml.enc. Perhaps you passed the wrong key?

I recently deleted my local project but did a git clone and picked up from where I last committed. As I tried to upload images to AWS, which was already configured, I got this error:
Aws::Sigv4::Errors::MissingCredentialsError in RentalsController#create
Cannot load `Rails.config.active_storage.service`: missing credentials, provide credentials with one of the following options: - :access_key_id and :secret_access_key - :credentials - :credentials_provider
I tried to look at my credentials.yml file for any error but when I input this command:
EDITOR="code --wait" rails credentials:edit
...I get this error:
Couldn't decrypt config/credentials.yml.enc. Perhaps you passed the wrong key?
What could be the problem?
You are missing the master.key
When you create a new project, rails will setup the credentials.yml.enc and a matching master.key file to access the credentials. The master.key file will also automatically be added to the gitignore, so if you delete your project local and clone it again your master.key will be lost.
The only way to fix this is by setting up new credentials.yml.enc and add your AWS credentials to it again.
First you need to remove the existing credentials.yml.enc and then run:
rails credentials:edit to create a new one.

Error when trying to run rails application on mac

I'm am working as a part of a team for a school project. We are using Ruby 2.6.5 and Rails 6.0.2.1. I have pulled the master branch from GitHub, but when I try to run the application I get this error:
ArgumentError: Missing secret_key_base for 'production' environment
I have looked online and found that the old solution was to change the config/secrets.yml file, but rails 6 no longer has that file, and instead has an encoded credentials.yml.enc file that has the same functionality. How do I fix this issue?
Rails > 5.2 introduced a new feature for securing credentials. For this rails uses a master.key in config folder which is usually added to .gitignore so that it stays secure and doesn't get pushed to git.
This master.key is used to encrypt or decrypt content from the credentials.yml.enc file which you found.
If you are working on a team then the project creator will have to share this master.key file to you personally or you have to create a new credentials.yml.enc. You can do it using the below command -
EDITOR=vim rails credentials:edit
This will create a new master.key and credentials.yml.enc in your machine but the changes made by your teammates in the credentials.yml.enc will be lost. To avoid that hassle just get the master.key from your teammate and put it in the config. folder.
You can try changing the config.require_master_key = true #in config/environments/production.rb
You can go to this link to check this in detail:- https://blog.engineyard.com/rails-encrypted-credentials-on-rails-5.2
I hope this will work for you.

Can't edit credentials Rails 5.2

When I open the file this way:
EDITOR="atom --wait" bin/rails credentials:edit
I get a brand new file that is assigned a new name (a number.credentials.yml) and reports "New credentials encrypted and saved," and I am not given the opportunity to edit the file.
Then I type:
bin/rails credentials:show
and I get the default aws: 123 etc....
So I delete both the credentials.yml.enc and the master key and start over, with the same results. the new credentials.yml.enc is created with the default verbage, but I cannot edit it.
I am using ruby 2.5.3 and rails 5.2.2. Ubuntu 18.04 if that matters. I have followed all the recommendations given elsewhere on this exact topic, but nothing works for me.
With rails credentials:show, you cannot edit your credentials.yml. You have to use EDITOR="atom --wait" rails credentials:edit to edit your credentails.yml.
Delete your master.key than you need to run the command EDITOR="atom --wait" rails credentials:edit which it won't find the master.key and creates new one with crendetials.yml.enc. After that, add some stuffs and close that file with CTRL + W. Now you can see the result with rails credentials:show.
I was having the exact same issue. It appears the issue is the quotes surrounding the specified text editor. (Note: I am running MacOS, not Ubuntu):
Doesn't work as intended
EDITOR=“vim” rails credentials:edit
New credentials encrypted and saved.
But I didn't want to create new credentials. I wanted to edit my existing credentials.yml.enc file.
Works as intended
EDITOR=vim rails credentials:edit
This does what I expect: opens up the credentials.yml.enc file in vim in an unencrypted format.
You need install vim for ubuntu, use this commmand:
sudo apt-get install vim
I had the same problem and solutioned with that. ;)

Rails convert secrets to credentials

I updated my Rails app from 5.1.6 to 5.2.1 and we were using secrets before. We'd like to switch to credentials since it was supposed to replace secrets. There are a couple of things I'm wondering:
1) Is there a "Railsy" way to do this? I'm aware I can just edit the secrets and copy the contents over to the credentials but I'm not sure if that's the right way to do it since I couldn't find anything that talks about this. Also, I tried copy the encrypted content from secrets.yml.enc and paste it to credentials.yml.enc but that didn't work, ran into some issues with the encryption.
2) Related to the first point, am I supposed to still be able to use secrets in 5.2.1? I thought credentials was supposed to replace secrets so I was surprised I could still use secrets and all my tests are passing.
Thanks for any info or help on this!
Backup your config/secrets.yml. Scaffold a temporary vanilla Rails 5.2.1 project via rails new. Copy config/master.key and config/credentials.yml.enc from it to your existing Rails project. Edit these credentials e.g in Ubuntu via:
EDITOR="gedit --wait" bin/rails credentials:edit
Replace the secret_key_base (new flat format prefered, optional for all environments) from the old secrets.yml and / or paste whatever else you need as a secret into it and save it. Delete config/secrets.yml and the temporary Rails project. Access the secrets in your code e.g. via:
Rails.application.credentials.secret_key_base
Ensure that your upgraded Rails 5.1.6 project use the master key in config/environments/*.rb:
Rails.application.configure do
...
config.require_master_key = true
...
end
Restart the Rails server. Do'nt forget to .gitignore and .dockerignore the config/master.key!

Is it safe to commit Rails' credentials.yml.enc file?

I've just created a new Rails project, and it came with this credentials.yml.enc file.
Is it safe to commit it publicly?
What David Heinemeier Hansson said here:
These secrets are not supposed to withstand any sort of attack in test or development.
As far I understood you should not keep damn secret credentials here, and then it's good to publish in public.
It's only in production (and derivative environments, like exposed betas) where the secret actually needs to be secret. So we can simply insert this secret into the new flat credentials.yml.enc file.
And at the end he mentioned:
Note: We should just keep Rails.secrets and friends around. The Rails.credentials setup would be a new, concurrent approach. All new apps would use it, but we wouldn't need to screw existing apps.
Hope it would help. For more, follow this.
I finally understood it.
Read this https://blog.saeloun.com/2019/10/10/rails-6-adds-support-for-multi-environment-credentials.html first.
For test and development env, you can simply remove the master.key and you will find that rails s works well.
You can run rails console, then run Rails.application.credentials.config to see that the value.
But if you have a wrong master.key there and run rails s, you will get an error.
But if you removed master.key, you will find that rails s -e production doesn't work.
If you have the correct value of master.key, you can run EDITOR=vim rails credentials:edit to edit it.
If you don't have the correct value of master.key, when you run EDITOR=vim rails credentials:edit,
it will generate a new master.key for you but unfortunately that master.key is a wrong one.
This is reasonable because it makes the credentials.yml.enc unable to be decrypt unless you have already got a correct master.key.
So you can remove the credentials.yml.enc and master.key and run EDITOR=vim rails credentials:edit to generate a new pair.
But before you do that, you should remove master.key and run rails console, then run Rails.application.credentials.config to
understand what values you need to set when running EDITOR=vim rails credentials:edit.
All the Rails instance in production env should have the same credentials.yml.enc and master.key.
So you should keep credentials.yml.enc in your sources code.
credentials.yml.enc why not? This is encrypted file and it doesn't have any information without a key.
But master.key you must keep in secret!!! It may decrypt your file.
You can push the credentials.yml.enc file to production. Just remove the master.key. They are meant to be pushed to production. However, if you are skeptical about this then save it to some local server, and when you are deploying make code to pull the file and master.key. This can be done using Capistrano tasks if you prefer this.

Resources