Add possibility to set custom Rails.application.credentials object.

[morgoth]

In multi environment application one can set custom file by:

config.before_initialize do
  self.credentials = encrypted("config/custom-credentials.yml.enc")
end

The last missing part of credentials feature ;-)

r? @kaspth

[blvrd]

@morgoth I've been playing around with another implementation that allows you to keep all secrets in one credentials.yml.enc file and it uses the current Rails environment to determine the correct keys to use. I'm using the following structure.

development:
  # development keys...

staging:
  # staging keys...

production:
  # production keys...

Is it preferable to use a separate file for each environment?

[morgoth]

@garrettqmartin8 The problem with this approach is that you're sharing credentials for all environments with the single encryption key, which for some might be a security concern.

Without setting custom credentials object it won't be possible to store secret_key_base in it, as this is how it's retrieved now https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435

[blvrd]

Ah I see. That makes sense.

[kaspth]

I'm not that fond of the proposed API. You could write a custom wrapper in your app that falls back to credentials in the production environment.

Or hell, the wrapper just does something like credentials.config.merge(encrypted("config/env-specific-file.enc").config). Thanks!

[morgoth]

@kaspth Yes, that wouldn't be a problem. The issue currently is, that it's not possible to have secret_key_base encrypted in this file, as this is how Rails reads it https://github.com/rails/rails/blob/master/railties/lib/rails/application.rb#L427-L435

I would have to special case it and set SECRET_KEY_BASE env var only for this one (alongside RAILS_MASTER_KEY)