Rails - credentials 
04 Jun 25
config/credentials.yml.enc is an encrypted file for storing app-specific keys securely. It can't be opened directly, but :
$rails credentials:edit $rails credentials:show
can edit/show it if there is a valid key, which Rails will look for in config/master.key (master.key is not encrypted so should be gitignored and not kept on the server) or failing that in an environment variable, RAILS_MASTER_KEY. On simbed-server, RAILS_MASTER_KEY is kept in etc/environment.d/wack.conf (equivalent to Heroku's config_vars i guess).
Be careful (locally) if there is no master key as rails credentials:edit will re-encrypt the file with a newly created key if it's missing. In production, it's not good practice to directly edit files anyway, but furthermore if the correct gitignore/clone process has been followed there will be no master.key on the server either. environment.d variables only get set via a systemd service, which hasn't been started so RAILS_MASTER_KEY also won't be available from there when sshing to the server. So to carry out commands from the command line on the server that need the environment variables do export RAILS_ENV=production and export RAILS_ENV= [master_key].
Note, newer versions of Rails allow for storing secrets by environment so have a config/credentials/production.key and production.yml.enc which work in a similar way, but i chose not to use this and just use credentials.yml.enc
So the master.key is kept in config locally (not in production). This allows credentials.yml.enc to be opened. Credentials.yml.enc contains secret_key_base which is used for cookie security and the database_password. (I will probably add to this all the the other former Heroku config_vars like SENDGRID_API_KEY etc...
Be careful (locally) if there is no master key as rails credentials:edit will re-encrypt the file with a newly created key if it's missing. In production, it's not good practice to directly edit files anyway, but furthermore if the correct gitignore/clone process has been followed there will be no master.key on the server either. environment.d variables only get set via a systemd service, which hasn't been started so RAILS_MASTER_KEY also won't be available from there when sshing to the server. So to carry out commands from the command line on the server that need the environment variables do export RAILS_ENV=production and export RAILS_ENV= [master_key].
Note, newer versions of Rails allow for storing secrets by environment so have a config/credentials/production.key and production.yml.enc which work in a similar way, but i chose not to use this and just use credentials.yml.enc
So the master.key is kept in config locally (not in production). This allows credentials.yml.enc to be opened. Credentials.yml.enc contains secret_key_base which is used for cookie security and the database_password. (I will probably add to this all the the other former Heroku config_vars like SENDGRID_API_KEY etc...
