Dynamic decryptier of encrypted config/master.key
on EC2.
Rails5.2 introduced encrypted credentials 🙌
The key, located on config/master.key
is created when you run rails new. It doesn't get committed to your repository.
If you using AWS and this gem, you can encrypt config/master.key
to commit it.
After encryping the key, the encrypted key will be saved to config/master.key.enc
.
The default rails credential decryptor decrypts config/credentials.yml.enc
from raw master key.
After adding this gem, rails decrypts it from encrypted master key.
Add this line to your application's Gemfile:
gem 'rails_master_key_kms_decrypter' # Recommended: `group: 'production'`
Create the key at your region on KMS
Encrypt your config/master.key
# Create `config/master.key.enc`
aws kms encrypt --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --plaintext fileb://config/master.key --output text --query CiphertextBlob > config/master.key.enc
git add config/master.key.enc
git commit
# or define `ENCRYPTED_RAILS_MASTER_KEY`
ENCRYPTED_RAILS_MASTER_KEY=$(aws kms encrypt --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --plaintext fileb://config/master.key --output text --query CiphertextBlob)
When rails credential decryption is succeeded, rails_master_key_kms_decrypter
is ready.
ENCRYPTED_RAILS_MASTER_KEY=... ./bin/rails runner 'Rails.application.credentials.config.present? ? puts("👍") : puts("👎")'
# Resource is your key
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "kms:Decrypt",
"Resource": "arn:aws:kms:ap-northeast-1:012345678900:key/1234567a-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
}
]
}
Create role Choose your resource and attach the policy from before.
Create EC2 and deploy your application.
RailsMasterKeyKmsDecrypter
need region information.
Please set ENV["AWS_REGION"]
or ENV["RAILS_MASTER_KEY_KMS_DECRYPTER_AWS_REGION"]
.
Bug reports and pull requests are welcome on GitHub at https://github.com/alpaca-tc/rails_master_key_kms_decrypter.
The gem is available as open source under the terms of the MIT License.