Rails Credentials are great for a lot of purposes, but merge conflicts are really annoying to resolve even with the included tools. But if we were to restructure how they work we could enable git to auto-resolve conflicts.
To that end I propose we convert the file from one big encrypted chunk to lots of small encrypted keypairs. There are two approaches we could take:
- Keeps keys encrypted as well
- Maintain keys in plain text
Note that we don’t actually have to encrypt keys. Key names could be inferred from the code base of an application. Therefore keys are not secret - values are. This means that if we were to parse the file and only encrypt values
In both cases git would be able to match individual lines and apply diffs automatically as the lines around our changes would remain the same. But if keys were kept in plain text (PR/MR) reviews would be easier as developer could infer what was changes just by looking at the diff.
This presents a small problem, where someone with access to the code-base could be able to tamper credentials without having access to the key, but we can add an HMAC checksum at the end of the file or each keypair to validate contents and mitigate that.
I don’t believe such an approach decreases security even in the case of plain text keys since as I mentioned before - we already know the keys, we even have clues about the content of values from the code base. The only thing we are doing is making it possible for git to auto resolve changes.
This could potentially add two improvements:
- Git would be able to auto-resolve conflicts
- PR diffs would be able to show what key was changed (the value would be unintelligible).
- The credential file would be tamper-evident.
I would like us to start a discussion about the next iteration of credential management so we could improve it for future versions.