Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to change master.key #32718

pdagrawal opened this issue Apr 25, 2018 · 5 comments

How to change master.key #32718

pdagrawal opened this issue Apr 25, 2018 · 5 comments


Copy link

@pdagrawal pdagrawal commented Apr 25, 2018

Steps to reproduce

I have setup a new project and using Rails 5.2 and its encrypted credentials feature. But if my master.key file get compromised then how would I change it and should be able to use encrypted credentials with newly created master key.

Expected behavior

Should be able to renew master key by using previous master key just like we can change password with using current password.

Actual behavior

Unable to change master key

System configuration

Rails version:

Ruby version:

Copy link

@y-yagi y-yagi commented Apr 25, 2018

We do not offer the feature for that.
I think that can correspond by manually saving the contents of credentials as a temporary file and setting up credentials again.
Anyway, this is a feature request.

Please use the Rails Core mailing list for feature requests, where a wider community will be able to help you. We reserve the Rails issue tracker only for bugs in Rails. Thanks.

@y-yagi y-yagi closed this Apr 25, 2018
Copy link

@mmhan mmhan commented Sep 22, 2018

I think that can correspond by manually saving the contents of credentials as a temporary file and setting up credentials again.

I'm not sure how to do that step "setting up credentials again", I couldn't find any credential related tasks in rails -T either

Copy link

@Faizaankhan3 Faizaankhan3 commented Oct 30, 2018

Regenerate key
Was your master key compromised? Do you want to generate new master.key?

Currently, there is no “edit password” feature, you need copy original content of the credentials, remove the enc files and regenerate fresh credentials file (source)

step 1 copy content of original credentials rails credentials:show
step 2 move your config/credentials.yml.enc and config/manter.key away (mv config/credentials.yml.enc ./tmp/ && mv config/master.key ./tmp/)
step 3 run EDITOR=vim rails credentials:edit
step 4 paste copied values from original credentials
step 5 save and commit config/credentials.yml.enc

@y-yagi kindly try to understand the problem before closing an issue.

Copy link

@SampsonCrowley SampsonCrowley commented Apr 16, 2020

@Faizaankhan3 I know this is necro bumping but calling out Yagi like that bugs me. He does understand the problem, and what he said is this isn't a bug, so it doesn't belong here.

There's no point in offering a feature like that for what the master key and your credentials file do.

If your master key is compromised, you're already out of luck. Even if you regenerate, all an attacker would need to do to access your data is to use your compromised key on an earlier version of the file. As soon as your key is compromised, so is all of the data in your credentials. You need to change all of those passwords regardless of if you create a new master key, so there is no reason to offer an easy re-encrypt feature. you need to just generate a new credentials file with all new data and with a new key

Copy link

@taimoorgit taimoorgit commented May 20, 2021

If you added your Rails master key to git, here's how to remove it.

Like Sampson said you need to completely regenerate any credentials you previously had (such as API keys).

# remove master.key from git
git rm config/master.key

# uncomment master.key line
vim .gitignore 

 # enter in NEWLY GENERATED credentials
EDITOR=vim bin/rails credentials:edit

# test your application...

# master.key should be deleted, gitignore and encrypted credentials should be changed
git status 

# ready to commit! 

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants