Should be able to regenerate master.key

41 views
Skip to first unread message

Pradeep Agrawal

unread,
Apr 26, 2018, 2:41:21 AM4/26/18
to Ruby on Rails: Core
There should be a functionality by that we can change master.key just like we change our password by providing current password and new password similarly we should be able to change master.key by using current master.key and it should generate new master.key and encrypt current credentials by newly created master.key.

I think this would be a required feature as we are going to use Rails encrypted credentials and once our maser.key got compromised then we don't have a way to change it.

I created an issue for the same over here. You can refer this for more details.


Please let me know your thoughts on this.

Alberto Almagro

unread,
Apr 26, 2018, 9:59:08 AM4/26/18
to Ruby on Rails: Core
Hi Pradeep,

from my point of view, in case the master.key gets compromised, as you say, you still know it and can access your credentials. In this case, you would always be able to set up credentials again.

I think you meant "in case you forget the master.key". The problem that comes to my mind is that you can't easily have a mechanism to restore it without opening a security hole, which is what this feature wants to avoid. Did you already come up with an idea to handle this?

Kind regads,
Alberto Almagro

Pradeep Agrawal

unread,
Apr 30, 2018, 2:11:06 AM4/30/18
to Ruby on Rails: Core
Hi Alberto,

Thanks for your response. What I meant is that if some else get my private key then he would be able to decrypt the credentials file.

I was suggesting that there should be a rake task or something like that which uses current masker.key and generate a new master.key. That way we can change our master.key whenever required.

Please let me know your thoughts on it.

Pradeep Agrawal

unread,
May 2, 2018, 9:08:40 AM5/2/18
to Ruby on Rails: Core
Hi Alberto,

I have figured out a way to do that. That is a trick right now but end result would be what we want. I am planning to create a rake task for this which will do this.
Please let me if I should do that.

Alberto Almagro

unread,
May 11, 2018, 10:38:51 AM5/11/18
to Ruby on Rails: Core
Hi Pradeep,

sorry for the delay, I had a lot going on these days.

At the end the functionality would be more or less what it is at the moment, but I like the point that you don't have to recreate everything. It would be simply to encrypt the secrets again with a new generated key. Provided that you must supply the current master.key to be able to trigger the process, it seems interesting to me.

Lets see if a member of the Rails Core team shares his/her thoughts about this.

Cheers,
Alberto
Reply all
Reply to author
Forward
0 new messages