Rails credentials decrypt fails (missing RAILS_MASTER_KEY) in CI
Rails tried to read config/credentials.yml.enc but has no key to decrypt it. config/master.key is gitignored, so CI must provide the key through the RAILS_MASTER_KEY environment variable from a secret.
What this error means
Boot or credentials:show fails with "ActiveSupport::MessageEncryptor::InvalidMessage" or "Missing encryption key to decrypt file with. Ask your team for your master key".
Missing encryption key to decrypt file with. Ask your team for your master key
and write it to config/master.key or put it in the ENV['RAILS_MASTER_KEY'].Common causes
master.key is not committed (correctly gitignored)
config/master.key is intentionally excluded from git, so the CI checkout has no key file to decrypt credentials.
RAILS_MASTER_KEY secret is not set
The workflow did not expose RAILS_MASTER_KEY, so Rails has neither the file nor the env var and cannot decrypt.
How to fix it
Expose the master key as a secret
- Copy the contents of
config/master.keyinto a repository secret named RAILS_MASTER_KEY. - Export it in the workflow env for steps that read credentials.
- Confirm with
bin/rails credentials:showin a debug step.
env:
RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}Use an environment-specific key if configured
If you use per-environment credentials, set the matching key (for example config/credentials/production.key) via its env var.
env:
RAILS_MASTER_KEY: ${{ secrets.PROD_MASTER_KEY }}How to prevent it
- Keep master.key out of git and in CI secrets only.
- Rotate the key and update the secret in one place if leaked.
- Avoid reading credentials in test unless a step truly needs them.