If you have been using the Rails.application.secrets feature, you have been able to ignore the deprecation until Rails 7.1. But now, Secrets is gone! We had been using config/secrets.yml in the past because our deployment script would just replace the file during deployment.
The “new” credentials on the other hand want to be kept in your repository, encrypted. We used the following playbook to migrate our secrets to the new format:
Development / Test
Use the Rails commands to generate the credentials and a random key. During the generation, it will pop open your editor and you can copy over the secrets from the old secrets.yml and respective environment onto the top level:
rails credentials:edit --environment development
rails credentials:edit --environment test
Then, in our case, the dev/test credentials are all fake anyway, so we will commit the keys to the repository:
# Copy over stuff from secrets,
# might commit dev/test key:
git add config/credentials/test.key -f
git add config/credentials/development.key -f
production
Generate the key and credentials file the same way:
rails credentials:edit --environment production
# use content of config/credentials/production.key and set it as Environment Variable RAILS_MASTER_KEY in ansible
cat config/credentials/production.key
Put the content of the production.key somewhere in your production pipeline as the environment variable RAILS_MASTER_KEY= (e.g. Heroku env, Ansible env, Docker env, etc.)
Migrate usage
Lastly, replace usages of Rails.application.secrets with Rails.application.credentials, here using the awesome sd + rg tool instead of sed. Our use find&replace all in your editor of choice:
sd application.secrets application.credentials `rg application.secrets -l`