How to use Credentials in Ruby on Rails 6? TLDR

create credentials & edit:

rails credentials:edit 
EDITOR=vim rails credentials:edit
rails credentials:show

`config/credentials.yml` example:

awss3:
  access_key_id: YOUR_CODE_FOR_S3_STORAGE
  secret_access_key: YOUR_CODE_FOR_S3_STORAGE
google_analytics: YOUR_CODE_FOR_GOOGLE_ANALYTICS
recaptcha:
  site_key: YOUR_CODE_FOR_RECAPTCHA
  secret_key: YOUR_CODE_FOR_RECAPTCHA
google_oauth2:
  client_id: YOUR_CODE_FOR_OAUTH
  client_secret: YOUR_CODE_FOR_OAUTH
development:
  github:
    client: YOUR_CODE_FOR_OAUTH
    secret: YOUR_CODE_FOR_OAUTH
  stripe:
    publishable: YOUR_STRIPE_PUBLISHABLE
    secret: YOUR_STRIPE_SECRET
production:
  github:
    client: YOUR_CODE_FOR_OAUTH
    secret: YOUR_CODE_FOR_OAUTH
  stripe:
    publishable: YOUR_STRIPE_PUBLISHABLE
    secret: YOUR_STRIPE_SECRET
facebook:
  client: YOUR_CODE_FOR_OAUTH
  secret: YOUR_CODE_FOR_OAUTH

working with VIM

To enable editing press i

For exiting with saving press Esc & :wq & Enter

For exiting without saving press Esc & :q! & Enter

To make Ctrl+V work properly Esc & :set paste & i & Ctrl + V`

Example of using credentials in devise.rb:

config.omniauth :github, Rails.application.credentials.dig(Rails.env.to_sym, :github, :id), Rails.application.credentials.dig(Rails.env.to_sym, :github, :secret)

if Rails.application.credentials[Rails.env.to_sym].present? && Rails.application.credentials[Rails.env.to_sym][:github].present?
  config.omniauth :github, Rails.application.credentials[Rails.env.to_sym][:github][:id], Rails.application.credentials[Rails.env.to_sym][:github][:secret]
end

Example of using credentials in `stripe.rb`:

Stripe.api_key = Rails.application.credentials.dig(:stripe, :secret)

HINT: using `.dig` is safer

find a credential

rails c
Rails.application.credentials.dig(:aws, :access_key_id)
Rails.application.credentials[Rails.env.to_sym][:aws][:access_key_id]
Rails.application.credentials.some_variable
Rails.application.credentials[:production][:aws][:id]
Rails.application.credentials.production[:aws][:id]

See credentials changes in local git:

rails credentials:diff --enroll
git diff config/credentials.yml.enc

Credentials for different environments

EDITOR=vim bin/rails credentials:edit --environment development

will generate

config/credentials/development.yml.enc
config/credentials/development.key

Set `master.key` in production (heroku):

By default master.key is in .gitignore

heroku config:set RAILS_MASTER_KEY=123456789
heroku config:set RAILS_MASTER_KEY=`cat config/master.key`
heroku config:set RAILS_MASTER_KEY=`cat config/credentials/production.key`

Bonus: in config/environments/production.rb uncomment config.require_master_key = true

The config/credentials.yml file should NOT be in gitignore.

The config/master.key that decrypts the credentials SHOULD be in gitignore.

my answer on stackoverflow

create credentials & edit:

config/credentials.yml example: