Key rotation story for Credentials

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Key rotation story for Credentials

Micah Buckley-Farlee
Hello all,

I've been in a bit of pain recently figuring out how to gracefully rotate the encryption key for Credentials. (Same pain also applies to Secrets)

This seems to be an issue both with using the RAILS_MASTER_KEY env variable (as we do), and the config/master.key file, provided that file is not checked in, but placed or symlinked there via some other process.

Our issue is that we do not have any way to tie environment changes to specific commits or deploys.

I suspect this might be a shared issue, and I was wondering if there is a story around credentials key rotation that I am missing, and if not, if it may be something worth implementing (which I would be happy to take a stab at).

Two solutions that come to mind would be to
a) allow configuring the env var or file to use, or
b) having rails check two env vars and file paths, and using the one which successfully decrypts the secrets file.

Cheers!
Micah

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Key rotation story for Credentials

Micah Buckley-Farlee
Just following up here - 

would there be any opposition to making the Credentials secret environment variable and file path configurable?
This affords some flexibility and eases key rotation, while still encouraging safe practices by not allowing direct placement of the key in config.

-Micah

On Sunday, May 27, 2018 at 6:43:18 PM UTC-7, Micah Buckley-Farlee wrote:
Hello all,

I've been in a bit of pain recently figuring out how to gracefully rotate the encryption key for Credentials. (Same pain also applies to Secrets)

This seems to be an issue both with using the RAILS_MASTER_KEY env variable (as we do), and the config/master.key file, provided that file is not checked in, but placed or symlinked there via some other process.

Our issue is that we do not have any way to tie environment changes to specific commits or deploys.

I suspect this might be a shared issue, and I was wondering if there is a story around credentials key rotation that I am missing, and if not, if it may be something worth implementing (which I would be happy to take a stab at).

Two solutions that come to mind would be to
a) allow configuring the env var or file to use, or
b) having rails check two env vars and file paths, and using the one which successfully decrypts the secrets file.

Cheers!
Micah

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Key rotation story for Credentials

DHH-2
In reply to this post by Micah Buckley-Farlee
I prefer the idea that we try all the keys we have and if any of them can decrypt, we decrypt. Rather than having people mess about with configurations. Happy to see a PR for this.

On Monday, May 28, 2018 at 3:43:18 AM UTC+2, Micah Buckley-Farlee wrote:
Hello all,

I've been in a bit of pain recently figuring out how to gracefully rotate the encryption key for Credentials. (Same pain also applies to Secrets)

This seems to be an issue both with using the RAILS_MASTER_KEY env variable (as we do), and the config/master.key file, provided that file is not checked in, but placed or symlinked there via some other process.

Our issue is that we do not have any way to tie environment changes to specific commits or deploys.

I suspect this might be a shared issue, and I was wondering if there is a story around credentials key rotation that I am missing, and if not, if it may be something worth implementing (which I would be happy to take a stab at).

Two solutions that come to mind would be to
a) allow configuring the env var or file to use, or
b) having rails check two env vars and file paths, and using the one which successfully decrypts the secrets file.

Cheers!
Micah

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Key rotation story for Credentials

Micah Buckley-Farlee
Great, I'll give it a shot.

What should we check for "all the keys we have"?
For files, perhaps config/*.key, what about env vars? RAILS_MASTER_KEY* maybe?

-Micah 

On Monday, June 4, 2018 at 5:08:30 AM UTC-7, DHH wrote:
I prefer the idea that we try all the keys we have and if any of them can decrypt, we decrypt. Rather than having people mess about with configurations. Happy to see a PR for this.

On Monday, May 28, 2018 at 3:43:18 AM UTC+2, Micah Buckley-Farlee wrote:
Hello all,

I've been in a bit of pain recently figuring out how to gracefully rotate the encryption key for Credentials. (Same pain also applies to Secrets)

This seems to be an issue both with using the RAILS_MASTER_KEY env variable (as we do), and the config/master.key file, provided that file is not checked in, but placed or symlinked there via some other process.

Our issue is that we do not have any way to tie environment changes to specific commits or deploys.

I suspect this might be a shared issue, and I was wondering if there is a story around credentials key rotation that I am missing, and if not, if it may be something worth implementing (which I would be happy to take a stab at).

Two solutions that come to mind would be to
a) allow configuring the env var or file to use, or
b) having rails check two env vars and file paths, and using the one which successfully decrypts the secrets file.

Cheers!
Micah

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.