Methodology for Credentials key rotation

[Micah Buckley-Farlee]

Hello!

I've been in a bit of pain recently around rotating our Secrets/Credentials key.

Assuming that either the config/master.key file is not checked in, or (as in our case), the RAILS_MASTER_KEY env var is used to specify the key, it is difficult to gracefully rotate keys. Our infrastructure for environment management is separate from our deploy infrastructure, so it is not possible for us to change specific environment variables with deploys of specific commits. I imagine this may also be an issue for various methods of getting the config/master.key file in place on production environments.

I'm curious if there is already a story for key rotation that I'm missing, or if that might be something worth implementing (which I would be happy to do).

The obvious solution would be the ability to specify multiple key files or env vars, and simply use whichever one successfully decrypts the credentials.

Cheers!
Micah

[Micah Buckley-Farlee]

Also, just a note that I realized after posting this that core would be a better place for it, so I posted a similar message there. Sorry for the duplication.

--
You received this message because you are subscribed to a topic in the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rubyonrails-talk/FuxXrhJOFzs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/e168f1d6-d886-4e08-95f8-994d9644dbcd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Micah Buckley-Farlee

Application Development Manager

Verba Software

micah.buck...@verbasoftware.com

(415) 738 - 2374