It enhances the Credentials feature introduced by Rails v5.2.0.


Add this line to your Rails application's Gemfile:

group :development, :test do
  gem 'rails-env-credentials'

And then execute:

$ bundle


RailsEnvCredentials manages credentials and key pairs with the following:


It also manages environment variables for each env.


You can use appropriate credentials depending on Rails.env.

$ rails env_credentials:show -e development
# config/credentials-development.yml.enc
  bucket: foo-dev

$ rails env_credentials:show -e production
# config/credentials.yml.enc
  bucket: foo-prod

$ rails runner -e development 'pp Rails.application.credentials.aws.bucket'
$ rails runner -e production 'pp Rails.application.credentials.aws.bucket'

Generating secrets and a master key

It automatically generate encrypted file and the master key when you starts editing credentials at first:

$ rails env_credentials:edit -e development

Show secrets

You want to see decrypted contents, use env_credentials:show:

$ rails env_credentials:show -e development

Additional information

Other environments support

For example, if the config/environments/staging.rb exists, you will generate config/credentials-staging.yml.enc.

$ rails env_credentials:edit -e staging

Display a diff

You can’t directly compare encrypted files between two versions, but it turns out you can see a diff using Git attributes.

Put the following line in your .gitattributes file:

config/credentials*.yml.enc diff=env_credentials

Then configure Git to use env_credentials:show:

$ git config diff.env_credentials.textconv 'rails env_credentials:show --file'

This tells Git that encrypted files should decrypt by the env_credentials:show task when you try to display a diff.

Why make this gem?

Credentials is a good feature, but we cannot use it on development and test environment.

DHH wrote as follow in the pull request for initial implementation:

It's only in production (and derivative environments, like exposed betas) where the secret actually needs to be secret.

However, I have to manage secrets and a master key different from production for testing in the staging environment.

I do not have the confidence to explain explicit use cases to Rails team, so I implemented as a gem.


The gem is available as open source under the terms of the MIT License.

