Reading the Rails Credential File Directly

March 10, 2026

Maybe you've got a lightweight Rack application or Ruby script where you want to be able to read sensitive data from your encrypted Rails credentials without having to load an entire Rails app. Rails.application.credentials won't be available. But if you've got ActiveSupport installed, you can use ActiveSupport::EncryptedConfiguration:

require 'active_support/encrypted_configuration'

credentials = ActiveSupport::EncryptedConfiguration.new(
  config_path: 'config/credentials/development.yml.enc',
  key_path: 'config/credentials/development.key',
  env_key: 'RAILS_MASTER_KEY',
  raise_if_missing_key: true
)

credentials.config
# => {key_one: "abc", key_two: "def"}

credentials.key_one
# => "abc"

Both key_path and env_key are required parameters, but only one will be used depending upon where you store your decryption key. The env_key is used if present, otherwise the key_path is used. When Rails loads credentials, it first looks for an ENV variable called "RAILS_MASTER_KEY" before looking for an env-specific file at "config/credentials/#{environment}.key" or master file at "config/master.key".

Scrolling Up and Down Logo
books
rails
ruby
sql
Copyright Chad Schroeder © 2026