Version Tests Code Climate Donorbox

Credentials for Bridgetown

This plugin adds Rails-like encrypted credentials to Bridgetown.

Credentials like passwords, access tokens and other secrets are often passed to sites each by it's own ENV variable. This is both uncool, non-atomic and therefore unreliable. Use this plugin to store your credentials in encrypted YAML files which you can safely commit to your source code repository. In order to use all of them in Bridgetown, you have to set or pass exactly one ENV variable holding the key to decrypt.


First add this gem to your bundle:

$ bundle add bridgetown_credentials

Then enable it in config/initializers.rb:

init :bridgetown_credentials

For the time being, it's necessary to require this gem early in the boot process for the commands to be picked up. Add config/boot.rb to your site reading:

Bundler.setup(:default, Bridgetown.env)
require "bridgetown_credentials"

For safety, you should exclude key files from the source code repository:

bin/bridgetown apply "$(bundle info --path bridgetown_credentials)/bridgetown.automation.rb"

Secure Installation

This gem is cryptographically signed in order to assure it hasn't been tampered with.

To install it securely, add the author's public key as a trusted certificate and then install the bundle with the trust policy of your choice:

gem cert --add <(curl -Ls
bundle install --trust-policy MediumSecurity


First Time

Make sure you have set the EDITOR variable to your favourite editor and then create a new credentials file:

echo $EDITOR
bin/bridgetown credentials edit

You might want to add something along the lines of:

foo: bar
  access_key_id: awsXid
  secret_access_key: awsXsecret
    api_key: goomXkey
    api_key: goopXkey

After saving the file, the following new files have been created:

 └─ credentials/
     ├─ development.key
     └─ development.yml.enc

⚠️ Move the *.key files to a safe place such as a password manager now! Never check them into the source code repository!

The credentials you've edited above have been written to development.yml.enc and will be available when Bridgetown is in development mode.

To edit the credentials for production mode:

bin/bridgetown credentials edit -e production

To edit or use a credentials file from now on, you have to set the corresponding key as an ENV variable. The actual key is the content of the *.key file you should have tucked away above.

export BRIDGETOWN_DEVELOPMENT_KEY="10aabbccddeeff00112233445566778899"
export BRIDGETOWN_PRODUCTION_KEY="20aabbccddeeff00112233445566778899"

Unified Environments

If you prefer not to separate credentials between different environments:

rm config/credentials/production.*
mv config/credentials/development.yml config/credentials.yml
rmdir config/credentials

This simplifies the files to:

 └─ credentials.yml.enc

To edit or use this from now on, you have to set:

export BRIDGETOWN_CREDENTIALS_KEY="30aabbccddeeff00112233445566778899"

⚠️ If config/credentials.yml is present, any other credentials files are ignored.


Throughout the Bridgetown stack, you can now use the credentials as follows:                            # => "bar"[:access_key_id]            # => "awsXid", :api_key)   # => "goomXkey"


  • bin/bridgetown credentials edit – edit the credentials
  • bin/bridgetown credentials show – dump the decrypted credentials to STDOUT


  • bundle exec rake test to run the test suite
  • script/cibuild to validate with Rubocop and Minitest together


You're welcome to submit issues and contribute code by forking the project and submitting pull requests.