Any Rails program would have secrets to be stored, for at least the secret key base with tokens for third-party APIs. Post version updates and handling secrets have become easier.

Initially, there were two methods to handle secrets: 

• The first method stored secrets in the environment variable (secret_key_base) and committed the secrets.yml file to the repository. This had many safety constraints in place. 
• The alternate method saved secrets in the secrets.yml file and avoided committing them to the repository.

In the 5.1 version, encrypted secrets were introduced, and were handled by the secrets.yml.enc file along with the encryption key control. The encryption key enabled us to commit the secrets to the repository safely. 

With Rails 5.2, the plain text credentials became obsolete. Since then, only encrypted credentials were in place and the same were stored and accessed by two files:

• credential.yml.enc 
• master.key

Credentials were stored in config/credentials.yml.enc and the key was stored on config/master.key. This feature enabled deploying code and credentials together and also storing all credentials in one place.

Handling Multi-Environment Credentials Before Rails 6

Before Rails 6, credentials and configurations corresponding to all environments were saved in a one-way file, with the environment as a major key, and multi-environment credentials were handled by specifying the following explicitly.

Development:
 aws: 
access_key_id: 123
 secret_access_key: 345

The configuration was accessed by mentioning the access_key_id.

Handling Multi-Environment Credentials in Rails 6

The Rails 6 version has taken further steps to improve the scalability of the Rails framework by including multi-environment credentials. Instead of keeping one credential file to handle the secrets for all environments, separate credential files for each environment and point of deliveries are created. Though this necessitates separate encryption keys per environment, this feature brings more safety and clarity. The built-in feature of multi-environment credentials also facilitates one-way time uploading of the encryption/decryption key to the server.

With this update, a global credential file is enough for multiple environments. And when the environment is passed, two files are created: 

• config/credentials/#{environment}.yml.enc 
• config/credentials/#{env}.key

Let us consider an example. The command rails credentials:edit --environment prod would create the credential files for the production environment as config/credential/prod.yml.enc and config/credentials/prod.key. If the environment file is missing or not created, the default file credentials.yml.enc file will be used. 

Also, the config/credential/prod.yml.enc file would be committed to the repository, and the config/credential/prod.key file would not be committed.

Credentials in Rails

Rails understands the credential files to be used in a specific environment. If the environment-specific credentials are defined, this will be considered over the global credentials.

As for the above example, 

rails.application.credentials.config {:aws=>{:access_key_id=>"123", :secret_access_key=>"345"} }} rails.application.credentials.aws[:access_key_id]=> "123"

Added Features in Rails 6

Rails 6 also added a feature to explicitly specify the location where the credential file is stored. Committing to a known path in the repository would make handling these files easier. To save the files in a specific path of your choice, config.credentials.content_path and config.credentials.key_path are used. While using this, one must make sure to upload the valid key as well as credentials to avoid errors/interruptions. If the respective key is not available on the path, the encrypted credentials would remain as a bunch of meaningless characters.

To handle local environment credentials, config/credentials/environment.key and simple config/master.key are to be used. The scenario varies in the production environment. For such a scenario, the rails_master_key can be used and the encryption keys from the .key file are stored here. 

The below command tells Rails to search the credentials file in path config/credentials/local.yml.enc instead of config/credentials/development.yml.enc:

config.credentials.content_path = ‘config/credentials/local.yml.enc’

Conclusion

The Rails family puts constant effort into improving the efficiency and scalability of the framework. With the multi-environment credentials enabled, applications used in multiple platforms and pods find it easier to keep the codes simple and accessible.