Getting rid of the credentials "feature" in Rails

Question

I am under a lot of stress due to this feature that is simply not needed in my scenario. It causes a lot of hassle and errors. For example:

[mememe@app site]# rails db:migrate RAILS_ENV=production
rails aborted!
ArgumentError: Missing `secret_key_base` for 'production' environment, set this string with `rails credentials:edit`

Then when trying to edit:

[mememe@app site]# EDITOR="mate --wait" bin/rails credentials:edit
Adding config/master.key to store the master encryption key: 7b3516f223e08c7eb04813154582be2b

Save this in a password manager your team can access.

If you lose the key, no one, including you, can access anything encrypted with it.

      create  config/master.key

Traceback (most recent call last):
    38: from bin/rails:3:in `<main>'
    37: from bin/rails:3:in `load'
    36: from /app/site/bin/spring:15:in `<top (required)>'
...
     1: from /usr/local/rvm/gems/ruby-2.5.5/gems/activesupport-5.2.3/lib/active_support/message_encryptor.rb:183:in `_decrypt'
/usr/local/rvm/gems/ruby-2.5.5/gems/activesupport-5.2.3/lib/active_support/message_encryptor.rb:206:in `rescue in _decrypt': ActiveSupport::MessageEncryptor::InvalidMessage (ActiveSupport::MessageEncryptor::InvalidMessage)

Then I tried to set it up in .env, and now I get:

[mememe@app site]# rails db:migrate RAILS_ENV=production
rails aborted!
ActiveSupport::MessageEncryptor::InvalidMessage: ActiveSupport::MessageEncryptor::InvalidMessage
/usr/local/rvm/gems/ruby-2.5.5/gems/activesupport-5.2.3/lib/active_support/message_encryptor.rb:206:in `rescue in _decrypt'

I also tried setting in production.rb:

config.require_master_key=false

I just want to migrate the db to production, I do not want all this :( can someone more experienced please tell me how to get rid of this "feature"?

Answer 1

secret_key_base is used for things like cookies signing and session encryption, if you're going to use these then you need it and need to keep it secret.

In rails 5 it can also be set via old-fashined config/secrets.yml (use rails secret to generate):

development: &defaults
  secret_key_base: some_other_very_long_key_here
test:
  <<: *defaults
production:
  <<: *defaults
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] || 'some_very_long_key_here' %>

And previously you had to keep this file with production keys secret. With credentials - you only keep master key secret.

If you're sure that you do not need "secrets"/"credentials" - you can commit above file in your code and rails will not complain