RAILS_MASTER_KEY in development

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

RAILS_MASTER_KEY in development

Steven Jeffries
Is there any documentation on how to set up and use the master key for development?

Starting a new rails 5.2 app generates a key in config/master.key. That file is added to the .gitignore, so when other members of my team check it out, they do not have the key.

If another member of my team checks out the repo and attempts to run the server, they get an error that the key is missing.

Now, when they generate a key and put it in config/master.key, they get a ActiveSupport::MessageEncryptor::InvalidMessage error when trying to start up the rails server unless it is the exact key that was generated when the app was created.

It seems like rails is trying to decrypt some files (or something) and needs the key to do so. In the default 5.2 app, which files not in the .gitignore are being encrypted?

If the exact starting key is required to run rails, then why is it in the .gitignore, or even configurable at all?

Is there a way for different members of my team to use a different key in development? Is there a way to use a different key in production? Is there a way to change the key in production periodically?

Is all of this documented somewhere?

Sorry for all of the questions.

Thanks for your time!

- Steve

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: RAILS_MASTER_KEY in development

Jason Fleetwood-Boldt
Steven,

I think perhaps there is 1 thing you are missing.

(someone stop me if I'm wrong here)

the purpose of the master.key is to decrypt .enc files, like config/credentials.yml.enc

This way, you can keep the encrypted versions of your yml (config) files in your repository, but not the secret key itself used to decrypt those files. 

I think it's discussed here in the 5.2.0 beta release notes:

In Rails 5.2, we’ve rectified the mess by deprecating the two different kinds of secrets and introduced a new shared concept called Credentials. Credentials, like AWS access keys and other forms of logins and passwords, were the dominant use case for secrets, so why not just call a spade a spade. So spade it is!

Credentials are always encrypted. This means they’re safe to check into revision control, as long as you keep the key out of it. That means atomic deploys, no need to mess with a flurry of environment variables, and other benefits of having all credentials that the app needs in one place, safe and secure.

In addition, we’ve opened up the API underlying Credentials, so you can easily deal with other encrypted configurations, keys, and files.


as well, this Engine Yard article I think explains some parts you are missing:


On your Rails 5.2 apps, what does this give you

 rake -T |grep credentials

-Jason


On Jan 9, 2018, at 5:33 PM, Steven Jeffries <[hidden email]> wrote:

Is there any documentation on how to set up and use the master key for development?

Starting a new rails 5.2 app generates a key in config/master.key. That file is added to the .gitignore, so when other members of my team check it out, they do not have the key.

If another member of my team checks out the repo and attempts to run the server, they get an error that the key is missing.

Now, when they generate a key and put it in config/master.key, they get a ActiveSupport::MessageEncryptor::InvalidMessage error when trying to start up the rails server unless it is the exact key that was generated when the app was created.

It seems like rails is trying to decrypt some files (or something) and needs the key to do so. In the default 5.2 app, which files not in the .gitignore are being encrypted?

If the exact starting key is required to run rails, then why is it in the .gitignore, or even configurable at all?

Is there a way for different members of my team to use a different key in development? Is there a way to use a different key in production? Is there a way to change the key in production periodically?

Is all of this documented somewhere?

Sorry for all of the questions.

Thanks for your time!

- Steve

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.

If you'd like to reply by encrypted email you can find my public key on jasonfleetwoodboldt.com (more about setting GPG: https://gpgtools.org

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: RAILS_MASTER_KEY in development

Stefan Daschek
In reply to this post by Steven Jeffries
Am 09.01.18 um 23:33 schrieb Steven Jeffries:
> Starting a new rails 5.2 app generates a key in config/master.key. That
> file is added to the .gitignore, so when other members of my team check
> it out, they do not have the key.
>
> If another member of my team checks out the repo and attempts to run the
> server, they get an error that the key is missing.

I think this has been fixed recently, see
https://github.com/rails/rails/pull/30067#issuecomment-353364390 and
https://github.com/rails/rails/commit/35373219c91ea8096ef2f8e7f3c62bcd46f436be#diff-6f37687eabcabe977bdf8be8267eeea2


s.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: RAILS_MASTER_KEY in development

Steven Jeffries
Thanks for the reply, this looks promising!

Do you know if there is any documentation on this somewhere?

I seem to have gridlocked myself switching between branches. Now I can't run rails even with the original key.

Do you know if there's a way to turn off the encryption (at least temporarily)?

Thanks again!

- Steve


On Wednesday, January 10, 2018 at 2:17:44 AM UTC-8, Stefan Daschek wrote:
Am 09.01.18 um 23:33 schrieb Steven Jeffries:
> Starting a new rails 5.2 app generates a key in config/master.key. That
> file is added to the .gitignore, so when other members of my team check
> it out, they do not have the key.
>
> If another member of my team checks out the repo and attempts to run the
> server, they get an error that the key is missing.

I think this has been fixed recently, see
<a href="https://github.com/rails/rails/pull/30067#issuecomment-353364390" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fpull%2F30067%23issuecomment-353364390\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEngO02x8XNsCD5fB2dq43Izmgn2A&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fpull%2F30067%23issuecomment-353364390\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNEngO02x8XNsCD5fB2dq43Izmgn2A&#39;;return true;">https://github.com/rails/rails/pull/30067#issuecomment-353364390 and
<a href="https://github.com/rails/rails/commit/35373219c91ea8096ef2f8e7f3c62bcd46f436be#diff-6f37687eabcabe977bdf8be8267eeea2" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fcommit%2F35373219c91ea8096ef2f8e7f3c62bcd46f436be%23diff-6f37687eabcabe977bdf8be8267eeea2\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGcRzZJVu6E9v96gnFGG2xOKSTqDQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fcommit%2F35373219c91ea8096ef2f8e7f3c62bcd46f436be%23diff-6f37687eabcabe977bdf8be8267eeea2\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGcRzZJVu6E9v96gnFGG2xOKSTqDQ&#39;;return true;">https://github.com/rails/rails/commit/35373219c91ea8096ef2f8e7f3c62bcd46f436be#diff-6f37687eabcabe977bdf8be8267eeea2


s.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.