2 files changed, 51 insertions, 14 deletions

diff --git a/railties/lib/rails/commands/secrets/USAGE b/railties/lib/rails/commands/secrets/USAGE
index 4b7deb4e2a..e205cdc001 100644
--- a/railties/lib/rails/commands/secrets/USAGE
+++ b/railties/lib/rails/commands/secrets/USAGE
@@ -7,7 +7,7 @@ with the code.
 
 === Setup
 
-Run `bin/rails secrets:setup` to opt in and generate the `config/secrets.yml.key`
+Run `rails secrets:setup` to opt in and generate the `config/secrets.yml.key`
 and `config/secrets.yml.enc` files.
 
 The latter contains all the keys to be encrypted while the former holds the
@@ -40,9 +40,17 @@ be encrypted.
 A `shared:` top level key is also supported such that any keys there is merged
 into the other environments.
 
+Additionally, Rails won't read encrypted secrets out of the box even if you have
+the key. Add this:
+
+   config.read_encrypted_secrets = true
+
+to the environment you'd like to read encrypted secrets. `rails secrets:setup`
+inserts this into the production environment by default.
+
 === Editing Secrets
 
-After `bin/rails secrets:setup`, run `bin/rails secrets:edit`.
+After `rails secrets:setup`, run `rails secrets:edit`.
 
 That command opens a temporary file in `$EDITOR` with the decrypted contents of
 `config/secrets.yml.enc` to edit the encrypted secrets.
diff --git a/railties/lib/rails/commands/secrets/secrets_command.rb b/railties/lib/rails/commands/secrets/secrets_command.rb
index 3ba8c0c85b..2eebc0f35f 100644
--- a/railties/lib/rails/commands/secrets/secrets_command.rb
+++ b/railties/lib/rails/commands/secrets/secrets_command.rb
@@ -1,36 +1,65 @@
+# frozen_string_literal: true
+
 require "active_support"
 require "rails/secrets"
 
 module Rails
   module Command
     class SecretsCommand < Rails::Command::Base # :nodoc:
-      def help
-        say "Usage:\n  #{self.class.banner}"
-        say ""
-        say self.class.desc
+      no_commands do
+        def help
+          say "Usage:\n  #{self.class.banner}"
+          say ""
+          say self.class.desc
+        end
       end
 
       def setup
-        require "rails/generators"
-        require "rails/generators/rails/encrypted_secrets/encrypted_secrets_generator"
-
-        Rails::Generators::EncryptedSecretsGenerator.start
+        deprecate_in_favor_of_credentials_and_exit
       end
 
       def edit
+        if ENV["EDITOR"].to_s.empty?
+          say "No $EDITOR to open decrypted secrets in. Assign one like this:"
+          say ""
+          say %(EDITOR="mate --wait" rails secrets:edit)
+          say ""
+          say "For editors that fork and exit immediately, it's important to pass a wait flag,"
+          say "otherwise the secrets will be saved immediately with no chance to edit."
+
+          return
+        end
+
         require_application_and_environment!
 
         Rails::Secrets.read_for_editing do |tmp_path|
-          puts "Waiting for secrets file to be saved. Abort with Ctrl-C."
-          system("\$EDITOR #{tmp_path}")
+          system("#{ENV["EDITOR"]} #{tmp_path}")
         end
 
-        puts "New secrets encrypted and saved."
+        say "New secrets encrypted and saved."
       rescue Interrupt
-        puts "Aborted changing encrypted secrets: nothing saved."
+        say "Aborted changing encrypted secrets: nothing saved."
       rescue Rails::Secrets::MissingKeyError => error
         say error.message
+      rescue Errno::ENOENT => error
+        if /secrets\.yml\.enc/.match?(error.message)
+          deprecate_in_favor_of_credentials_and_exit
+        else
+          raise
+        end
+      end
+
+      def show
+        say Rails::Secrets.read
       end
+
+      private
+        def deprecate_in_favor_of_credentials_and_exit
+          say "Encrypted secrets is deprecated in favor of credentials. Run:"
+          say "rails credentials:help"
+
+          exit 1
+        end
     end
   end
 end