Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Separate secret_key_base in Rails 5.2?

Tags:

ruby

ruby-on-rails

ruby-on-rails-5

ruby-on-rails-5.2

I just upgraded from 5.1 to 5.2 and I'm quite confused about this 'better' methodology to storing secrets...

Maybe I'm not understanding, but it seems like now development and production have been 'merged' into a SINGLE SECRET_KEY_BASE as well as master.key... is this correct?

If not, how do I use a separate master key and SECRET_KEY_BASE in development?

What if I have developers helping me and I don't want them to know my master key (or secrets) I use in production?

like image 295
Tallboy Avatar asked Apr 11 '18 18:04

Tallboy

People also ask

What is Secret_key_base used for in rails?

Sends any runner called in the instance of a new application up to the runner method defined in Rails::Railtie. The #secret_key_base is used as the input secret to the application's key generator, which in turn is used to create all MessageVerifiers/MessageEncryptors, including the ones that sign and encrypt cookies.

How do you change credentials in rails 6?

To decrypt and view or edit your credentials. yml , you can run rails credentials:edit or EDITOR=vim rails credentials:edit .

How do I change my rails credentials?

Your text editor will open an unencrypted version of your credentials. If you don't have EDITOR set, you can run EDITOR=vi bin/rails credentials:edit or use your favorite text editor. After saving the file, the encrypted version will be saved to config/credentials. yml.

2 Answers

Rails 5.2 changed this quite a bit. For development and test enivoronments, the secret_key_base is generated automatically, so you can just remove it from secrets.yml or wherever you have it set.

As for production, there is the credentials file which you can generate and edit it by running rails credentials:edit. This will also create the master key in config/master.key which is only used for encrypting and decrypting this file. Add this to gitignore so it's not shared with anyone else, which should take care of sharing it with fellow devs.

If all of this sounds a bit tedious, and it is, you can just ignore it and provide the secret_key_base in ENV. Rails will check if it's present in ENV["SECRET_KEY_BASE"] before it complains.

like image 80
tomca32 Avatar answered Oct 04 '22 22:10

tomca32

There are two ways to access secret_key_base:

  1. Rails.application.credentials.secret_key_base
  2. Rails.application.secrets.secret_key_base

Rails 5 took the first way by default.

you can change Rails.application.credentials.secret_key_base by rails credentials:edit. for all other environments, remember to set environment variable RAILS_MASTER_KEY to be the same content of config/master.key. the master.key is git ignored by default. this way uses the same secret key for all environments. if you want to use different keys, you need to control namespaces by yourself.

If you prefer the second way Rails.application.secrets.secret_key_base. you need to create config/secrets.yml:

development:
  secret_key_base: ...
test:
  secret_key_base: ...
production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

remember to set environment variable SECRET_KEY_BASE on production. if config/secrets.yml file is secret enough, changing <%= ENV["SECRET_KEY_BASE"] %> to plain text is fine.

rake secret can generate a random secret key for you.

I prefer the second way(old way), because of simple.

like image 28
Yi Feng Xie Avatar answered Oct 04 '22 21:10

Yi Feng Xie
Sign in to Comment

Related questions

How to test ActiveRecord callbacks with RSpec?
Rails: Has and belongs to many (HABTM) -- create association without creating other records
Rails 3.0.7 -> How do you get your tests to run faster?
how to create rails 3 custom exceptions
Rails exception notifier in rake tasks
Ruby on Rails: How would i stay on the same page if the post is not saved?
rackspace vs EC2 vs Heroku vs Engine Yard for ruby on rails [closed]
rspec what is the difference between be nil and be_nil
RSpec test destroy method (Rails Tutorial 3.2 Ch. 9, Ex. 10)
How to log specific request details to rails server logs
How do I use select2-rails with simple_form?
activerecord where clause on relation belongs_to
Rails 4 client side validation
What Does This Rails4 error mean? fatal: exception reentered ... `rescue in rollback_active_record_state!'
Rails undefined method for Module
var_dump and die like php, In ruby on rails (debug in ruby on rails)
PostGIS Error - PG::InternalError: ERROR: could not load library
Use Rails' select() to add (not overwrite) selected attributes?
Parenthesize the param to make sure that block will be associated with method call
Rails migration - add unique index allowing skipping null values

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!