Manage encrypted credentials (added in Rails 5.2.0) with multiple environments.


Available as a gem creds


Using Rails command, generate new encrypted file by

bin/rails encrypted:edit config/credentials/production.yml.enc --key config/credentials/production.key

add some content in opened editor (note there is no environment root key, ie no production):

aws_access_key_id: my-access-key-id

If config/credentials/production.key doesn't exist yet, run bin/rails generate master_key and adjust naming to match desired one. Content of file can be displayed by

bin/rails encrypted:show config/credentials/production.yml.enc --key config/credentials/production.key

Add to config/environments/production.rb (or any other env)

config.creds ="config/credentials/production.yml.enc")

If wants to use key from custom path - by default it checks RAILS_MASTER_KEY env key and config/master.key file:

config.creds ="config/credentials/production.yml.enc", key_path: "config/credentials/production.key")

In the code:


To ease working in development/test environments with the same API, add config/credentials/plain.yml with key/value pairs nested under environment name, like:

  aws_access_key_id: "aws-key-id"

Then add to config/environments/development.rb

config.creds ="config/credentials/plain.yml", env: "development")

Rails 6.0

In Rails 6.0 it is possible to edit files by rails credentials:edit --environment production which will look for config/credentials/production.yml.enc encrypted by ENV["RAILS_MASTER_KEY"] or config/credentials/production.key


  • To raise error in case of missing key you can add bang to the name, like Rails.configuration.creds.database_url!
  • To list all defined key/value pairs call config, like Rails.configuration.creds.config
  • Plain text file can embed Ruby (<%= %>), but not encrypted one
  • If secret_key_base is specified in credentials file, it will be assigned to Rails.configuration.secret_key_base, as it is required by Rails


Build Status

After checking out the repo, run bin/setup to install dependencies. Then, run rake test to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to


Bug reports and pull requests are welcome on GitHub at


The gem is available as open source under the terms of the MIT License.