I’ve been in a bit of pain recently figuring out how to gracefully rotate the encryption key for Credentials. (Same pain also applies to Secrets)
This seems to be an issue both with using the RAILS_MASTER_KEY env variable (as we do), and the config/master.key file, provided that file is not checked in, but placed or symlinked there via some other process.
Our issue is that we do not have any way to tie environment changes to specific commits or deploys.
I suspect this might be a shared issue, and I was wondering if there is a story around credentials key rotation that I am missing, and if not, if it may be something worth implementing (which I would be happy to take a stab at).
Two solutions that come to mind would be to
a) allow configuring the env var or file to use, or
b) having rails check two env vars and file paths, and using the one which successfully decrypts the secrets file.
I prefer the idea that we try all the keys we have and if any of them can decrypt, we decrypt. Rather than having people mess about with configurations. Happy to see a PR for this.