rails: ActiveSupport::MessageEncryptor::InvalidMessage Rails 5.1 secrets

I generated secrets.yml.enc & secrets.yml.key, after secrets:edit and deploy by capistrano, I get above error. I don’t know why. Production mode locally works fine, but on real production wrong.

/home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/activesupport-5.1.4/lib/active_support/message_encryptor.rb:133:in rescue in _decrypt': ActiveSupport::MessageEncryptor::InvalidMessage (ActiveSupport::MessageEncryptor::InvalidMessage) from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/activesupport-5.1.4/lib/active_support/message_encryptor.rb:112:in _decrypt’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/activesupport-5.1.4/lib/active_support/message_encryptor.rb:84:in decrypt_and_verify' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/secrets.rb:55:in decrypt’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/secrets.rb:96:in preprocess' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/secrets.rb:27:in block in parse’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/secrets.rb:24:in each' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/secrets.rb:24:in each_with_object’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/secrets.rb:24:in parse' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/application.rb:391:in secrets’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/devise-4.3.0/lib/devise/rails.rb:36:in block in <class:Engine>' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/initializable.rb:30:in instance_exec’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/initializable.rb:30:in run' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/initializable.rb:59:in block in run_initializers’ from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:226:in block in tsort_each' from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:348:in block (2 levels) in each_strongly_connected_component’ from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:429:in each_strongly_connected_component_from' from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:347:in block in each_strongly_connected_component’ from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:345:in each' from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:345:in call’ from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:345:in each_strongly_connected_component' from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:224:in tsort_each’ from /home/crazypiter1990/.rvm/rubies/ruby-2.2.5/lib/ruby/2.2.0/tsort.rb:203:in tsort_each' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/initializable.rb:58:in run_initializers’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/application.rb:353:in initialize!' from /usr/home/crazypiter1990/domains/crazypiter1990.usermd.net/releases/20171211152401/config/environment.rb:5:in <top (required)>’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/activesupport-5.1.4/lib/active_support/dependencies.rb:292:in require' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/activesupport-5.1.4/lib/active_support/dependencies.rb:292:in block in require’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/activesupport-5.1.4/lib/active_support/dependencies.rb:258:in load_dependency' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/activesupport-5.1.4/lib/active_support/dependencies.rb:292:in require’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/application.rb:329:in require_environment!' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/command/actions.rb:16:in require_application_and_environment!’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/commands/console/console_command.rb:96:in perform' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/thor-0.20.0/lib/thor/command.rb:27:in run’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/thor-0.20.0/lib/thor/invocation.rb:126:in invoke_command' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/thor-0.20.0/lib/thor.rb:387:in dispatch’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/command/base.rb:63:in perform' from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/command.rb:44:in invoke’ from /home/crazypiter1990/domains/crazypiter1990.usermd.net/shared/bundle/ruby/2.2.0/gems/railties-5.1.4/lib/rails/commands.rb:16:in <top (required)>' from bin/rails:9:in require’ from bin/rails:9:in `<main>’

System configuration

Rails version: Rails 5.1.4 Ruby version: 2.2.5

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 40 (11 by maintainers)

Most upvoted comments

hey @niightly, I had the same problem, I just delete config/credentials.yml.enc, then I ran rails edit:credentials and a new credentials file without issue was generated and everything works pretty well. I hope this helps!! Kudos

+376

javiermurillo on May 8, 2018

That comment didn’t work for me, so I tried

bundle exec rails credentials:edit

I also set

export EDITOR=vim

Rails 5.2.0 Ruby 2.5.1 P57

+57

BerkhanBerkdemir on Jun 5, 2018

deleting config/credentials.yml.enc and re-running rails credentials:edit, fix the issue for me, rails 5.2

+41

f0ster on Sep 21, 2018

I had the same problem. In my case, config/credentials.yml.enc has a trailing newline. So I deleted it with the following command:

perl -pe 's/\n//g' -i config/credentials.yml.enc

Some text editors or Git hooks add a newline at the end of file, so I created a PR to delete newlines before decrypting and show a error message if decryption failed:

https://github.com/rails/rails/pull/34059

+18

acro5piano on Jul 28, 2019

So few things that I did before error came up:

Run rails secrets:setup 2 Add line config.config.read_encrypted_secrets = true to production.rb
Run “EDITOR=‘subl --wait’ rails secrets:edit” in terminal
Fill the file with data ( attachment see)

example.txt

Rails encrypt the file with file secrets.yml.key
Add secrets.yml.key to linked_files in capistrano
Use secrets inside database.yml , e.g

<%= WorkoutRails::Application.secrets.database %>

+18

piotrpietrusewicz on Dec 13, 2017

Delete config/credentials.yml.enc (and also config/master.key), then regenerate credentials file :

rm config/credentials.yml.enc
rm config/master.key
EDITOR=vim rails credentials:edit

Hope this help someone.

+13

scratchoo on Jul 28, 2019

i can confirm

deleting config/credentials.yml.enc and rerun rails credentials:edit is fixing the issue in rails 5.2.2

krtschmr on Feb 12, 2019

I had the issue and I seemed to find the problem. Rails reads the key from environment variables (RAILS_MASTER_KEY) if it exists before trying to read the key from a file. I had two apps on the same server and the second app reads the key from environment variable for the first app, which is wrong key, and raises this error.

Is this a bug of rails? I mean, shouldn’t it be possible to override the key from environment variable so that multiple apps can coexist on the same server?

okuramasafumi on Mar 20, 2018

Deleting the enc file and re-creating it doesn’t seem a decent solution. Also, I can confirm it still happens on Rails 5.2.1.

Has anyone found a decent solution?

Thank you.

lucascaton on Sep 11, 2018

@rafaelfranca @y-yagi OK, now I found a way to reproduce this error.

Steps for isolated environment:

create a directory to export RAILS_MASTER_KEY for two apps (I recommend using direnv)
create one app from that directory (say app1)
create another app from that directory (say app2)
get master key from app1 and export it in parent directory
confirm rails credentials:edit command works in app1
confirm rails credentials:edit command DOESN’T work and raise error in app2

Simpler steps:

create one app
export master key from it
create another app in the same shell session
cd second app and run rails credentials:edit

okuramasafumi on Mar 21, 2018

thanks @acro5piano Having a new line in the config/credentials.yml.enc breaks rails secrets:edit. I accidentally pressed save on the file and it added a new line.

umarov on Apr 15, 2019

Deleting the enc file and re-creating it doesn’t seem a decent solution. Also, I can confirm it still happens on Rails 5.2.1.

Has anyone found a decent solution?

Thank you.

it works for me EDITOR=vim rails credentials:edit 😄 rails 5.2

hiro-riveros on Sep 20, 2018

I had this issue when using environment specific credentials on Heroku. What fixed it was removing RAILS_MASTER_KEY and replacing it with RAILS_STAGING_KEY (or whatever environment you want to use). It will not work if both keys are present.

iraritchiemeek on Jun 3, 2020

i can confirm

deleting config/credentials.yml.enc and rerun rails credentials:edit is fixing the issue in rails 5.2.2

Save my day, thanks!

My Solution:

Delete config/credentials.yml.enc
Run

$ export EDITOR=vim
$ rails secrets:edit

TheBlackHacker on May 4, 2019

Guys, anyone solves this issue?

@okuramasafumi I think I had the same problem you described, did you solved this?

niightly on Apr 18, 2018

@januszm No, what I meant was that rails should prefer loading key from file over loading from environment variable. In other words, if master key file exists rails should ignore environment variable so that multiple apps can use different keys.

okuramasafumi on Mar 25, 2018

Can you please provide a sample application that reproduces the error?

y-yagi on Dec 11, 2017