Safe Credentials

Safe Credentials allows you to encrypt sensitive credentials so you can store your configuration files in source control.


To store configuration files in source control is always a tricky issue. You shouldn't store your credentials in clear text in source control, but often your team needs a subset of those credentials to test and execute the project.

A usual approach is to create a configuration file (config.yml or similar) but don't push it to source control. Instead, you also create a dummy example file (config.yml.example) with dummy values. When someone needs to access the real credentials he or she has to ask the project owner for them.

This solution is not ideal, especially when you need to add add or change some configuration parameter.


Install the gem

$ gem install safe_credentials

Run the provided executable:

$ safe_credentials encrypt

  Encrypting file config/config.yml
  Enter your password:
  Result stored in config/encrypted_config.yml
  Adding config/config.yml to .gitignore.

Later, when you need to decrypt the credentials

$ bin/safe_credentials decrypt

  Decrypting file config/encrypted_config.yml
  Enter your password:
  Result stored in config/config.yml


Choose the path to the real config file and the encrypted one:

safe_credentials encrypt --from path/to/config.yml --to path/to/decrypted_config.yml

Also you can choose to encrypt only some configuration parameters:

# Encrypt database variables in all environments

safe_credentials encrypt --vars **.database.*

# Encrypt production variables

safe_credentials encrypt --vars producion

# Encrypt only password variables

safe_credentials encrypt --vars **password


Original idea seen on John Resig's blog


  • Capistrano integration. Upload config file to remote server and decrypt it there.
  • Support other formats beside YAML, like TOML or JSON.


  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request