Add CLI to manage encrypted files/configs.

To edit/show encrypted file:

```
bin/rails encrypted:edit config/staging_tokens.yml.enc
bin/rails encrypted:edit config/staging_tokens.yml.enc --key config/staging.key
bin/rails encrypted:show config/staging_tokens.yml.enc
```

Also provides a backing Rails.application.encrypted API for Ruby access:

```ruby
Rails.application.encrypted("config/staging_tokens.yml.enc").read
Rails.application.encrypted("config/staging_tokens.yml.enc").config
Rails.application.encrypted("config/staging_tokens.yml.enc", key: "config/staging.key")
```

4 files changed, 110 insertions, 24 deletions

diff --git a/railties/lib/rails/generators/rails/credentials/credentials_generator.rb b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
index 52cb4bd8bf..ab15da5423 100644
--- a/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
+++ b/railties/lib/rails/generators/rails/credentials/credentials_generator.rb
@@ -7,14 +7,11 @@ require "active_support/encrypted_configuration"
 module Rails
   module Generators
     class CredentialsGenerator < Base
-      CONFIG_PATH = "config/credentials.yml.enc"
-      KEY_PATH    = "config/master.key"
-
       def add_credentials_file
-        unless File.exist?(CONFIG_PATH)
+        unless credentials.exist?
           template = credentials_template
 
-          say "Adding #{CONFIG_PATH} to store encrypted credentials."
+          say "Adding #{credentials.content_path} to store encrypted credentials."
           say ""
           say "The following content has been encrypted with the Rails master key:"
           say ""
@@ -29,13 +26,17 @@ module Rails
       end
 
       def add_credentials_file_silently(template = nil)
-        unless File.exist?(CONFIG_PATH)
-          setup = { config_path: CONFIG_PATH, key_path: KEY_PATH, env_key: "RAILS_MASTER_KEY" }
-          ActiveSupport::EncryptedConfiguration.new(setup).write(credentials_template)
-        end
+        credentials.write(credentials_template)
       end
 
       private
+        def credentials
+          ActiveSupport::EncryptedConfiguration.new \
+            config_path: "config/credentials.yml.enc",
+            key_path: "config/master.key",
+            env_key: "RAILS_MASTER_KEY"
+        end
+
         def credentials_template
           "# aws:\n#  access_key_id: 123\n#  secret_access_key: 345\n\n" +
           "# Used as the base secret for all MessageVerifiers in Rails, including the one protecting cookies.\n" +
diff --git a/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb b/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb
new file mode 100644
index 0000000000..ddce5f6fe2
--- /dev/null
+++ b/railties/lib/rails/generators/rails/encrypted_file/encrypted_file_generator.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+
+require "rails/generators/base"
+require "active_support/encrypted_file"
+
+module Rails
+  module Generators
+    class EncryptedFileGenerator < Base
+      def add_encrypted_file(file_path, key_path)
+        unless File.exist?(file_path)
+          say "Adding #{file_path} to store encrypted content."
+          say ""
+          say "The following content has been encrypted with the encryption key:"
+          say ""
+          say template, :on_green
+          say ""
+
+          add_encrypted_file_silently(file_path, key_path)
+
+          say "You can edit encrypted file with `bin/rails encrypted:edit #{file_path}`."
+          say ""
+        end
+      end
+
+      def add_encrypted_file_silently(file_path, key_path, template = encrypted_file_template)
+        unless File.exist?(file_path)
+          setup = { content_path: file_path, key_path: key_path, env_key: "RAILS_MASTER_KEY" }
+          ActiveSupport::EncryptedFile.new(setup).write(template)
+        end
+      end
+
+      private
+        def encrypted_file_template
+          "# aws:\n#  access_key_id: 123\n#  secret_access_key: 345\n\n"
+        end
+    end
+  end
+end
diff --git a/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
new file mode 100644
index 0000000000..dd0d0c6c66
--- /dev/null
+++ b/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
@@ -0,0 +1,53 @@
+# frozen_string_literal: true
+
+require "pathname"
+require "rails/generators/base"
+require "active_support/encrypted_file"
+
+module Rails
+  module Generators
+    class EncryptionKeyFileGenerator < Base
+      def add_key_file(key_path)
+        key_path = Pathname.new(key_path)
+
+        unless key_path.exist?
+          key = ActiveSupport::EncryptedFile.generate_key
+
+          log "Adding #{key_path} to store the encryption key: #{key}"
+          log ""
+          log "Save this in a password manager your team can access."
+          log ""
+          log "If you lose the key, no one, including you, can access anything encrypted with it."
+
+          log ""
+          add_key_file_silently(key_path, key)
+          log ""
+        end
+      end
+
+      def add_key_file_silently(key_path, key = nil)
+        create_file key_path, key || ActiveSupport::EncryptedFile.generate_key
+      end
+
+      def ignore_key_file(key_path, ignore: key_ignore(key_path))
+        if File.exist?(".gitignore")
+          unless File.read(".gitignore").include?(ignore)
+            log "Ignoring #{key_path} so it won't end up in Git history:"
+            log ""
+            append_to_file ".gitignore", ignore
+            log ""
+          end
+        else
+          log "IMPORTANT: Don't commit #{key_path}. Add this to your ignore file:"
+          log ignore, :on_green
+          log ""
+        end
+      end
+
+      private
+        def key_ignore(key_path)
+          [ "", "/#{key_path}", "" ].join("\n")
+        end
+    end
+  end
+end
diff --git a/railties/lib/rails/generators/rails/master_key/master_key_generator.rb b/railties/lib/rails/generators/rails/master_key/master_key_generator.rb
index 29d83f5d81..e57f07c1ae 100644
--- a/railties/lib/rails/generators/rails/master_key/master_key_generator.rb
+++ b/railties/lib/rails/generators/rails/master_key/master_key_generator.rb
@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
-require "rails/generators/base"
 require "pathname"
+require "rails/generators/base"
+require "rails/generators/rails/encryption_key_file/encryption_key_file_generator"
 require "active_support/encrypted_file"
 
 module Rails
@@ -20,31 +21,24 @@ module Rails
           log "If you lose the key, no one, including you, can access anything encrypted with it."
 
           log ""
-          add_master_key_file_silently key
+          add_master_key_file_silently(key)
           log ""
         end
       end
 
       def add_master_key_file_silently(key = nil)
-        create_file MASTER_KEY_PATH, key || ActiveSupport::EncryptedFile.generate_key
+        key_file_generator.add_key_file_silently(MASTER_KEY_PATH, key)
       end
 
       def ignore_master_key_file
-        if File.exist?(".gitignore")
-          unless File.read(".gitignore").include?(key_ignore)
-            log "Ignoring #{MASTER_KEY_PATH} so it won't end up in Git history:"
-            log ""
-            append_to_file ".gitignore", key_ignore
-            log ""
-          end
-        else
-          log "IMPORTANT: Don't commit #{MASTER_KEY_PATH}. Add this to your ignore file:"
-          log key_ignore, :on_green
-          log ""
-        end
+        key_file_generator.ignore_key_file(MASTER_KEY_PATH, ignore: key_ignore)
       end
 
       private
+        def key_file_generator
+          EncryptionKeyFileGenerator.new
+        end
+
         def key_ignore
           [ "", "# Ignore master key for decrypting credentials and more.", "/#{MASTER_KEY_PATH}", "" ].join("\n")
         end