New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Announcement discussion #1
Comments
I think you are correct, I have asked a similar question on Stackoverflow https://stackoverflow.com/questions/50847451/rails-new-credentials-creates-greater-risk-in-case-of-master-key-is-corrupt Your gem is probably fixing the security issue but actually I think the old |
I think key feature of encoded files is that credentials are stored and modified in single place (app's repo) - there's no need to edit |
According to compromised master.key in case of theft. I think that it should be stored in system encrypted store, like a keychain or encrypted disk volume. This will prevent from decoding encrypted secrets/credentials. |
Isn't this a statement similar as to saying that AWS ssh access is insecure because the .pem key file may be stolen from your computer ? |
If high security level is required then private keys must be stored encrypted. It can not be used without password when stolen. The difference with master.key is that private key is not required for development and access to it can be restricted. While every developer should have access to master.key when there is |
I think Rails 6 will have different environments credentials. |
Yes. Maybe even in 5.2.x - rails/rails#33521 |
https://github.com/printercu/secure_credentials/wiki/Rails-5.2-credentials-are-not-secure
The text was updated successfully, but these errors were encountered: