Methodology for Credentials key rotation

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Methodology for Credentials key rotation

Micah Buckley-Farlee
Hello!

I've been in a bit of pain recently around rotating our Secrets/Credentials key.

Assuming that either the config/master.key file is not checked in, or (as in our case), the RAILS_MASTER_KEY env var is used to specify the key, it is difficult to gracefully rotate keys. Our infrastructure for environment management is separate from our deploy infrastructure, so it is not possible for us to change specific environment variables with deploys of specific commits. I imagine this may also be an issue for various methods of getting the config/master.key file in place on production environments.

I'm curious if there is already a story for key rotation that I'm missing, or if that might be something worth implementing (which I would be happy to do).

The obvious solution would be the ability to specify multiple key files or env vars, and simply use whichever one successfully decrypts the credentials.

Cheers!
Micah

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/e168f1d6-d886-4e08-95f8-994d9644dbcd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Methodology for Credentials key rotation

Micah Buckley-Farlee
Also, just a note that I realized after posting this that core would be a better place for it, so I posted a similar message there. Sorry for the duplication.

On Thu, May 24, 2018 at 10:38 AM, Micah Buckley-Farlee <[hidden email]> wrote:
Hello!

I've been in a bit of pain recently around rotating our Secrets/Credentials key.

Assuming that either the config/master.key file is not checked in, or (as in our case), the RAILS_MASTER_KEY env var is used to specify the key, it is difficult to gracefully rotate keys. Our infrastructure for environment management is separate from our deploy infrastructure, so it is not possible for us to change specific environment variables with deploys of specific commits. I imagine this may also be an issue for various methods of getting the config/master.key file in place on production environments.

I'm curious if there is already a story for key rotation that I'm missing, or if that might be something worth implementing (which I would be happy to do).

The obvious solution would be the ability to specify multiple key files or env vars, and simply use whichever one successfully decrypts the credentials.

Cheers!
Micah

--
You received this message because you are subscribed to a topic in the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rubyonrails-talk/FuxXrhJOFzs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/e168f1d6-d886-4e08-95f8-994d9644dbcd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
Micah Buckley-Farlee
Application Development Manager
Verba Software

(415) 738 - 2374

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAK7MgiZ%3DGD%2BBg3YVs9xcbf4EgNy6Yn2u%2BW19rw6iycRFNLx%3D%3DA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.