Encrypted Configuration on Rails 5.2


Credentials is a new feature on Rails 5.2 which replaces secrets and encrypted secrets. Under the hood Credentials use EncryptedConfiguration which you can reuse if you need to use encryption on other parts of your application.


If you only want to use the credentials on config/credentials.yml.enc, Rails has special methods for that like Rails.application.credentials. 

This blog post is for using EncryptedConfiguration with other files.


You can use EncryptedConfiguration through Rails.application.encrypted. Let's say you want to encrypt some data and save the encrypted file on top_secret.txt.enc.

encrypted = Rails.application.encrypted("top_secret.txt.enc")

This will create a new EncryptedConfiguration object which you can use to encrypt and decrypt text.

encrypted.write("This is a top secret message.")

If you check the file top_secret.txt.enc, you will see


You won't be able to decrypt this without the key. Notice that we didn't specify any key when we called Rails.application.encrypted. If you didn't specify any key, the default master key on config/master.key will be used. This key was created when you created your new Rails 5.2 app. If it doesn't exist, a key will be created when you run bin/rails credentials:edit.

If you want to use a different key aside from config/master.key, create one by running


You can run this on rails console or from the command line you can run

bundle exec rails runner "puts ActiveSupport::EncryptedConfiguration.generate_key"


The output is a string with a length of 32. It's actually a hex as SecureRandom.hex is used.

Save the key to a file. If you use config/top_secret.key as the file name, you can get the EncryptedConfiguration object with

encrypted = Rails.application.encrypted("top_secret.txt.enc", key_path: "config/top_secret.key")

Then you can write your encrypted text like before.

encrypted.write("This is a top secret message.")

To decrypt the text, run

=> "This is a top secret message." 

Currently, there's no way to open an editor with the decrypted text when using a custom filename. With credentials, you can run bin/rails credentials:edit to open a decrypted version of your credentials from config/credentials.yml.enc.


EncyptedConfiguration is the underlying code that makes credentials work. You don't need to use it directly but if you have custom needs, give it a try. Rails encourages using it instead of rolling out your own encryption code.

Start a Free Trial:

Engine Yard is so much more than just a Ruby on Rails PaaS platform. But don't just take our word for it. Request a free trial of Engine Yard platform today, and one of our Engineers will be in contact within one business day to get you going


Related posts

5 Commercial Use Cases Continue to Prove the Value of Ruby on Rails

April 11, 2018

Ruby on Rails continues to gain popularity as an effective platform for developing web and

Read More

Rails Encrypted Credentials Use AES 128-bit Key

March 28, 2018

Rails 5.2 introduces Credentials which replaces Secrets and Encrypted Secrets from previous

Read More

Using Rails and Vue JS, Part 1

March 22, 2018

Vue (pronounced as view) calls itself the progressive JavaScript framework. It is

Read More

Christopher Rigor

Christopher Rigor is a Senior Technical Evangelist at Engine Yard. He’s a long time Rails user, system administrator, and recently became a contributor of RailsInstaller. Previously, he was the DevOps Support Manager for Asia-Pacific at Engine Yard.
Find me on:


Subscribe Here!