Rails 5.2 with master.key - Heroku deployment

About

Asked 4/4, 2018 at 23:7 Answered 16/11, 2018 at 15:29

Solved ruby-on-rails heroku ruby-on-rails-5

Rails 5.2 introduces the encrypted secrets feature through the usage of the awesome credentials.yml. But I'm struggling to get it to work with Heroku.

Is there any Strategy available right now to deploy a Rails 5.2 App to Heroku?

Strife answered 4/4, 2018 at 23:7 Comment(0)

You should set the environment variable RAILS_MASTER_KEY, either on your heroku web dashboard, or using console:

$ heroku config:set RAILS_MASTER_KEY=<your-master-key>

Example:

$ heroku config:set RAILS_MASTER_KEY=123456789

(The < and > are placeholders)

Rails will detect this variable and use it as your master key (instead of looking for it in master.key file).

Halfcocked answered 5/4, 2018 at 3:35 Comment(8)

@Halfcocked Rails used to have rails secret to generate a new secret key. Is there a way to generate a new master key? – Innuendo 11/4, 2018 at 17:47

@Innuendo Yes, you can run bundle exec rails runner "puts ActiveSupport::EncryptedConfiguration.generate_key". Just consider that you won't be able to decrypt any file encrypted with a previous key. – Halfcocked 11/4, 2018 at 17:53

Am I supposed to use the same master.key I have locally as I do in production then? What if I don't want local developers being able to encrypt my production secrets? – Innuendo 11/4, 2018 at 17:58

@Innuendo Generally yes, you will use same master.key in production. If you would like to keep sensitive data private, you could set environment variables in the server, instead of putting them directly on your credentials file. – Halfcocked 11/4, 2018 at 18:55

@Obromios config/master.key is created when you create your app (i.e. $ rails new myapp) or, if you are upgrading from other rails version, when you edit your credentials file with $ EDITOR=vim rails credentials:edit. There is no automatic way of changing your master.key, you must do it manually (e.g.1. $ cd config 2. $ rails credentials:show > credentials.tmp, 3. $ mv credentials.yml.enc ../tmp/ && mv master.key ../tmp/, 4. $ cat credentials.tmp | pbcopy 5. $ EDITOR=vim rails credentials:edit and replace all with content copied in step 4. 6. remove tmp files). – Halfcocked 2/8, 2018 at 23:42

@Obromios With Linux use xclip instead of pbcopy in step 4. – Halfcocked 2/8, 2018 at 23:44

thank you! Should I surround my master key with the < and > symbols? – Astrid 7/9, 2018 at 12:10

@BKSpurgeon No, i used those only as placeholders. – Halfcocked 7/9, 2018 at 15:2

You could also use the following command to create Heroku RAILS_MASTER_KEY with the contents of your local config/master.key:

heroku config:set RAILS_MASTER_KEY="$(< config/master.key)"

Note: make sure you are in the directory that contains your Rails app.

Sodomite answered 16/11, 2018 at 15:29 Comment(2)

if the key is kept alongside the encrypted file in the git repo then there's no purpose to using the encryption mechanism. if someone gets access to your source control, they get your keys – Fontes 20/4, 2020 at 15:33

@JasonFB you are right. That's why you should use Environmental Variables, and configure them like in the example above. You can check details here: devcenter.heroku.com/articles/… – Sodomite 20/4, 2020 at 20:7

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags