Viewing changes to credentials.yml.enc in Git

A May Of WTFs
1

Seeing the thread about credentials, I’m reminded of an issue I’ve had with credentials: if I look at a diff, I have no way of seeing how credentials have changed. I just see random-looking data.

That’s why I’ve personally taken the habit to document my commits thoroughly (added THIS_PARTICULAR_KEY, etc.), but even that is sub-par.

My new and better approach is to make a second file, credentials.yml, but this one with just the keys. This way, I can diff between revisions and see which keys have been added/removed.

That said, it’s only a personal workflow, so I don’t benefit from that if it’s a project that doesn’t use that particular workflow.

Other point: my solution doesn’t tell me whether a credential has changed (or which one has, if I see the .enc file has been changed). We could fix this by putting in credentials.yml say, the last 7 hex characters of sha3(key). (or any other decently preimage-resistant hash)

It would be trivially easy to view:

  ...
- KEYS_TO_THE_KINGDOM: ffe79da
+ KEYS_TO_THE_KINGDOM: 1bc2e10
  OTHER_UNCHANGED_KEY: 66bb070

and for that to be generated by rails credentials:edit

2 Likes
2

Interesting idea. Another way this could be done would be to have only the values be encrypted, e.g.

# Call `rails credentials:edit` to modify this file.
aws:
  access_key_id: NSAS63LQAT5DpaUc0JadtCs1ty3FbY8KWm4ork6HiDDilCCbgBLCapKV1GLBd5vYqjP2UDqFUwn==
  secret_access_key: JadtCs1ty3FbYNSAS63LQAT5DpaUc08KWm4j0sxYlFTifOxHpJi0rbN7CJIUt9e6TiQcQYxyw42ATeoAC1A5Y1L92KzmanyzD==
6 Likes
3

In hindsight, that’s almost obvious :sweat_smile: Good solution!

4

This is coming in Rails 6.1!

See:

https://github.com/rails/rails/pull/36777

And its current revision:

https://github.com/rails/rails/commit/03e44f93001db97953917e0a100c627e189e2be6

4 Likes