When using Rails credentials, you will edit the encrypted credentials for staging or production environments from time to time. To do that you need the secret key which should only live on the servers.
Do not download these key files to your local dev environment. They are sensitive and must not be stored on your machine.
Instead, put the attached capistrano task into lib/capistrano/tasks/ of your application. It expects environment specific keys to live in :shared_path/config/credentials/:stage.key. If you have a single master.key (e.g. on Rails < 7.2), edit the Capistrano task to find the key at :shared_path/config/master.key instead.
Usage
cap <environment> credentials:edit
will open an editor with the decrypted local credentials file. The decryption key is kept in memory and never written to disk.
This strategy a) avoids keys leaking from dev machines and b) couples credentials edit permissions to deploy stage permissions, which is perfect.
