Rails and The Legendary Master.key

Brenden Thornton
3 min readMay 10, 2019

When deploying my first application onto Heroku, I discovered there were quite some challenges as to configuring my repo and Heroku application properly. The main underlying problem came down to the most recent Rails 5.2 Credentials API.

As of Rails 5.2, config/secrets.yml, config/secrets.yml.enc and SECRET_BASE_KEY are no longer being used to store encrypted keys. From now on, you are to use these files instead: config/credentials.yml.enc and config/master.key.

How Do I Use These Credentials?

When using an authentication system in Rails, you might be using Rails.application.credentials.secret_key_base to encrypt your JWT token, cookie, or however your system is setup. This works because in your config/credentials.yml.enc file you have encrypted keys that secure your authentication system, database, or API. The thing to remember here is that this file is OK to be pushed to your public repo as it is already encrypted.

The next important file is config/master.key which is where your RAILS_MASTER_KEY will be kept. Now this is a very important file that can never be committed to your source control tool! I can’t stress this enough because this key will give anyone access to your encrypted keys and will leave your application vulnerable to attacks. To avoid this you need to add your…

--

--

Brenden Thornton

Full-Stack Developer. @FlatironSchool. UCF. Loving Father & Husband.