Rails 6.0 adds support for multi-environment credentials. Here’s a quick summary of how it works:
By default, behavior is the same as Rails 5.2. To configure credentials for another enviornment, just add
rails credentials:show [--environment <env>]
rails credentials:edit [--environment <env>]
rails credentials:edit --environment production
RAILS_ENV=<env> rails credentials:show won’t work.
--environment must be used instead.)
How Rails behaves
Rails continues to use the 5.2-compatible files (
config/credentials.yml.enc) in the absence of an environment-specific file.
If an environment-specific file is available, then that is used instead (and the default file is ignored – they are not merged). This is convenient when you want multiple environments, eg: development and test, to both use the same file. In this example, use the default file for those two environments, and then provide an environment-specific file for production only.
For reference, Rails will look in the following places for the master key for decryption:
And it will look for the actual encrypted credentials at these locations: