Skip to content
Latchkey

Rails credentials decrypt fails (missing RAILS_MASTER_KEY) in CI

Rails tried to read config/credentials.yml.enc but has no key to decrypt it. config/master.key is gitignored, so CI must provide the key through the RAILS_MASTER_KEY environment variable from a secret.

What this error means

Boot or credentials:show fails with "ActiveSupport::MessageEncryptor::InvalidMessage" or "Missing encryption key to decrypt file with. Ask your team for your master key".

Rails
Missing encryption key to decrypt file with. Ask your team for your master key
and write it to config/master.key or put it in the ENV['RAILS_MASTER_KEY'].

Common causes

master.key is not committed (correctly gitignored)

config/master.key is intentionally excluded from git, so the CI checkout has no key file to decrypt credentials.

RAILS_MASTER_KEY secret is not set

The workflow did not expose RAILS_MASTER_KEY, so Rails has neither the file nor the env var and cannot decrypt.

How to fix it

Expose the master key as a secret

  1. Copy the contents of config/master.key into a repository secret named RAILS_MASTER_KEY.
  2. Export it in the workflow env for steps that read credentials.
  3. Confirm with bin/rails credentials:show in a debug step.
.github/workflows/ci.yml
env:
  RAILS_MASTER_KEY: ${{ secrets.RAILS_MASTER_KEY }}

Use an environment-specific key if configured

If you use per-environment credentials, set the matching key (for example config/credentials/production.key) via its env var.

.github/workflows/ci.yml
env:
  RAILS_MASTER_KEY: ${{ secrets.PROD_MASTER_KEY }}

How to prevent it

  • Keep master.key out of git and in CI secrets only.
  • Rotate the key and update the secret in one place if leaked.
  • Avoid reading credentials in test unless a step truly needs them.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →