How to work with Rails Credentials in Productions Environments?

Question

I am having difficult to understand how can I work with Rails credentials in Prod environments.

My Use Case. I started a new rails project. It comes with my personal master.key and a credentials.yml.enc that I can edit using the command

EDITOR="code --wait" rails credentials:edit

All is good. All is fine. Now I want to add it to my heroku production app. First I will push my credentials.yml.enc to my github. Then I will set a ENV or a Master Key on my heroku.

My question is.... How can Heroku decrypt the credentials.yml.enc that was created inside my development env (so, it was encrypted used my personal master.key) with their own production key?

Answer 1

See the Heroku section of this article:

The easiest way to make encrypted credentials work on Heroku is to get the value stored in config/master.key, and use it to set up the RAILS_MASTER_KEY environment variable

This allows Heroku workers to use Rails.application.credentials calls just like you are able to do in a console.

The key is to create the RAILS_MASTER_KEY environment variable in Heroku (either through the web interface or the CLI) and set its value to your master key value.

For your specific question:

How can Heroku decrypt the credentials.yml.enc that was created inside my development env (so, it was encrypted used my personal master.key) with their own production key?

It's the same key. You are going to copy the value of master.key to Heroku as the value of the RAILS_MASTER_KEY variable.