Methodology for Credentials key rotation


I’ve been in a bit of pain recently around rotating our Secrets/Credentials key.

Assuming that either the config/master.key file is not checked in, or (as in our case), the RAILS_MASTER_KEY env var is used to specify the key, it is difficult to gracefully rotate keys. Our infrastructure for environment management is separate from our deploy infrastructure, so it is not possible for us to change specific environment variables with deploys of specific commits. I imagine this may also be an issue for various methods of getting the config/master.key file in place on production environments.

I’m curious if there is already a story for key rotation that I’m missing, or if that might be something worth implementing (which I would be happy to do).

The obvious solution would be the ability to specify multiple key files or env vars, and simply use whichever one successfully decrypts the credentials.


Also, just a note that I realized after posting this that core would be a better place for it, so I posted a similar message there. Sorry for the duplication.