Key rotation story for Credentials

Hello all,

I’ve been in a bit of pain recently figuring out how to gracefully rotate the encryption key for Credentials. (Same pain also applies to Secrets)

This seems to be an issue both with using the RAILS_MASTER_KEY env variable (as we do), and the config/master.key file, provided that file is not checked in, but placed or symlinked there via some other process.

Our issue is that we do not have any way to tie environment changes to specific commits or deploys.

I suspect this might be a shared issue, and I was wondering if there is a story around credentials key rotation that I am missing, and if not, if it may be something worth implementing (which I would be happy to take a stab at).

Two solutions that come to mind would be to

a) allow configuring the env var or file to use, or

b) having rails check two env vars and file paths, and using the one which successfully decrypts the secrets file.



Just following up here -

would there be any opposition to making the Credentials secret environment variable and file path configurable?

This affords some flexibility and eases key rotation, while still encouraging safe practices by not allowing direct placement of the key in config.


I prefer the idea that we try all the keys we have and if any of them can decrypt, we decrypt. Rather than having people mess about with configurations. Happy to see a PR for this.

Great, I’ll give it a shot.

What should we check for “all the keys we have”?

For files, perhaps config/.key, what about env vars? RAILS_MASTER_KEY maybe?