I've just been through the steps to upgrade our Rails app from 5.1.6.2 to 6.0.0 via 5.2, (I chose to not to worry about the credentials concern until 6.0.0 in case it ended up meaning I had to figure out new credentials twice).
I've been looking at a number of guides as to how to use the new credentials when upgrading, but they all feel like they're missing a final step, or I'm misunderstanding something. Doing no credentials upgrade at all seemed to cause no problems in my local development environment, but when attempting to deploy to our production env (Convox/AWS), I got the following error:
Missing encryption key to decrypt file with. Ask your team for your master key and write it to /app/config/master.key or put it in the ENV['RAILS_MASTER_KEY'].
Confusingly (to me), the was already an ENV var of that name with a secret key set, and any changes to it locally before or after stepping through the guides raise a ActiveSupport::MessageEncryptor::InvalidMessage (ActiveSupport::MessageEncryptor::InvalidMessage) error.
Stepping through the guides, I'm using Sublime, so initially I ran EDITOR="subl --wait" rails credentials:edit, and then pasted the secret key base value over the current value of config/master.key - causing the error above. Which has left me unsure of what I'm actually supposed to do with the secret_key_base key. I've tried putting it in the prod env var RAILS_MASTER_KEY, but then on deployment that still gets the error Missing encryption key to decrypt file with. Ask your team for your master key and write it to /app/config/master.key or put it in the ENV['RAILS_MASTER_KEY']. I've tried deleting the secrets.yml file in case that was overwriting something, but that doesn't change the deployments message.
So what else should I have done?
I would create a
master.keyfile in yourconfigfolder and add your key to it. (The value you used to setRAILS_MASTER_KEYenv var. However, make sure you exclude it from VCS (just add it to your.gitignore). That should fix your problem, given the key is the right one. If not, you will have to regenerate the encrypted credentials file altogether.... but that's another story.