Should be able to regenerate master.key

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Should be able to regenerate master.key

Pradeep Agrawal
There should be a functionality by that we can change master.key just like we change our password by providing current password and new password similarly we should be able to change master.key by using current master.key and it should generate new master.key and encrypt current credentials by newly created master.key.

I think this would be a required feature as we are going to use Rails encrypted credentials and once our maser.key got compromised then we don't have a way to change it.

I created an issue for the same over here. You can refer this for more details.


Please let me know your thoughts on this.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Should be able to regenerate master.key

Alberto Almagro
Hi Pradeep,

from my point of view, in case the master.key gets compromised, as you say, you still know it and can access your credentials. In this case, you would always be able to set up credentials again.

I think you meant "in case you forget the master.key". The problem that comes to my mind is that you can't easily have a mechanism to restore it without opening a security hole, which is what this feature wants to avoid. Did you already come up with an idea to handle this?

Kind regads,
Alberto Almagro

El jueves, 26 de abril de 2018, 8:41:21 (UTC+2), Pradeep Agrawal escribió:
There should be a functionality by that we can change master.key just like we change our password by providing current password and new password similarly we should be able to change master.key by using current master.key and it should generate new master.key and encrypt current credentials by newly created master.key.

I think this would be a required feature as we are going to use Rails encrypted credentials and once our maser.key got compromised then we don't have a way to change it.

I created an issue for the same over here. You can refer this for more details.

<a href="https://github.com/rails/rails/issues/32718" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;">Issue of the same

Please let me know your thoughts on this.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Should be able to regenerate master.key

Pradeep Agrawal
Hi Alberto,

Thanks for your response. What I meant is that if some else get my private key then he would be able to decrypt the credentials file.

I was suggesting that there should be a rake task or something like that which uses current masker.key and generate a new master.key. That way we can change our master.key whenever required.

Please let me know your thoughts on it.

On Thursday, April 26, 2018 at 7:29:08 PM UTC+5:30, Alberto Almagro wrote:
Hi Pradeep,

from my point of view, in case the master.key gets compromised, as you say, you still know it and can access your credentials. In this case, you would always be able to set up credentials again.

I think you meant "in case you forget the master.key". The problem that comes to my mind is that you can't easily have a mechanism to restore it without opening a security hole, which is what this feature wants to avoid. Did you already come up with an idea to handle this?

Kind regads,
Alberto Almagro

El jueves, 26 de abril de 2018, 8:41:21 (UTC+2), Pradeep Agrawal escribió:
There should be a functionality by that we can change master.key just like we change our password by providing current password and new password similarly we should be able to change master.key by using current master.key and it should generate new master.key and encrypt current credentials by newly created master.key.

I think this would be a required feature as we are going to use Rails encrypted credentials and once our maser.key got compromised then we don't have a way to change it.

I created an issue for the same over here. You can refer this for more details.

<a href="https://github.com/rails/rails/issues/32718" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;">Issue of the same

Please let me know your thoughts on this.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Should be able to regenerate master.key

Pradeep Agrawal
Hi Alberto,

I have figured out a way to do that. That is a trick right now but end result would be what we want. I am planning to create a rake task for this which will do this.
Please let me if I should do that.


On Monday, April 30, 2018 at 11:41:06 AM UTC+5:30, Pradeep Agrawal wrote:
Hi Alberto,

Thanks for your response. What I meant is that if some else get my private key then he would be able to decrypt the credentials file.

I was suggesting that there should be a rake task or something like that which uses current masker.key and generate a new master.key. That way we can change our master.key whenever required.

Please let me know your thoughts on it.

On Thursday, April 26, 2018 at 7:29:08 PM UTC+5:30, Alberto Almagro wrote:
Hi Pradeep,

from my point of view, in case the master.key gets compromised, as you say, you still know it and can access your credentials. In this case, you would always be able to set up credentials again.

I think you meant "in case you forget the master.key". The problem that comes to my mind is that you can't easily have a mechanism to restore it without opening a security hole, which is what this feature wants to avoid. Did you already come up with an idea to handle this?

Kind regads,
Alberto Almagro

El jueves, 26 de abril de 2018, 8:41:21 (UTC+2), Pradeep Agrawal escribió:
There should be a functionality by that we can change master.key just like we change our password by providing current password and new password similarly we should be able to change master.key by using current master.key and it should generate new master.key and encrypt current credentials by newly created master.key.

I think this would be a required feature as we are going to use Rails encrypted credentials and once our maser.key got compromised then we don't have a way to change it.

I created an issue for the same over here. You can refer this for more details.

<a href="https://github.com/rails/rails/issues/32718" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;">Issue of the same

Please let me know your thoughts on this.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Reply | Threaded
Open this post in threaded view
|

Re: Should be able to regenerate master.key

Alberto Almagro
Hi Pradeep,

sorry for the delay, I had a lot going on these days.

At the end the functionality would be more or less what it is at the moment, but I like the point that you don't have to recreate everything. It would be simply to encrypt the secrets again with a new generated key. Provided that you must supply the current master.key to be able to trigger the process, it seems interesting to me.

Lets see if a member of the Rails Core team shares his/her thoughts about this.

Cheers,
Alberto

El miércoles, 2 de mayo de 2018, 15:08:40 (UTC+2), Pradeep Agrawal escribió:
Hi Alberto,

I have figured out a way to do that. That is a trick right now but end result would be what we want. I am planning to create a rake task for this which will do this.
Please let me if I should do that.


On Monday, April 30, 2018 at 11:41:06 AM UTC+5:30, Pradeep Agrawal wrote:
Hi Alberto,

Thanks for your response. What I meant is that if some else get my private key then he would be able to decrypt the credentials file.

I was suggesting that there should be a rake task or something like that which uses current masker.key and generate a new master.key. That way we can change our master.key whenever required.

Please let me know your thoughts on it.

On Thursday, April 26, 2018 at 7:29:08 PM UTC+5:30, Alberto Almagro wrote:
Hi Pradeep,

from my point of view, in case the master.key gets compromised, as you say, you still know it and can access your credentials. In this case, you would always be able to set up credentials again.

I think you meant "in case you forget the master.key". The problem that comes to my mind is that you can't easily have a mechanism to restore it without opening a security hole, which is what this feature wants to avoid. Did you already come up with an idea to handle this?

Kind regads,
Alberto Almagro

El jueves, 26 de abril de 2018, 8:41:21 (UTC+2), Pradeep Agrawal escribió:
There should be a functionality by that we can change master.key just like we change our password by providing current password and new password similarly we should be able to change master.key by using current master.key and it should generate new master.key and encrypt current credentials by newly created master.key.

I think this would be a required feature as we are going to use Rails encrypted credentials and once our maser.key got compromised then we don't have a way to change it.

I created an issue for the same over here. You can refer this for more details.

<a href="https://github.com/rails/rails/issues/32718" rel="nofollow" target="_blank" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgithub.com%2Frails%2Frails%2Fissues%2F32718\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6mFm9iFi427wrnx8X8BtwD5RgQ&#39;;return true;">Issue of the same

Please let me know your thoughts on this.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.