Rails 5.1 Capistrano Deploying with secrets.yml.key

Question

I'm attempting to deploy to a staging environment with capistrano. I've set up my encrypted secrets and tested on development, and the secrets appear available. I've setup the staging environment config for read_encrypted_secrets = true. My secret key file is git-ignored. I have ssh'ed into my staging environment and placed the secrets.yml.key in the app_name/current/config directory. I am deploying to an AWS EC2 instance. I am not using the RAILS_MASTER_KEY environment variable.

When I run cap staging deploy and choose my release tag, I run into this error during deploy:migrating bundle exec rake db:migrate

01 rake aborted!
01 Rails::Secrets::MissingKeyError: Missing encryption key to decrypt secrets with. Ask your team for your master key and put it in ENV["RAILS_MASTER_KEY"]

I have the correct key on the server, why isn't rails finding/using it?

Answer 1

The app_name/current path is just a symlink to the newest Capistrano release. That means that the contents of app_name/current/config will change every time you run cap staging deploy. If you manually add a file to that directory via ssh, it will no longer be there on the subsequent deploy.

The proper way to add a configuration file to the server that will persist across all deploys is to place it in the shared directory. Specifically:

1. Via ssh (or scp), place your key file at app_name/shared/config/secrets.yml.key.

2. Locally, in deploy.rb, add the following:

   append :linked_files, "config/secrets.yml.key"
   

Now run cap staging deploy.

Answer 2

This also works for Rails 5.2 and the encrypted ENV variables:

append :linked_files, "config/master.key"