-
Notifications
You must be signed in to change notification settings - Fork 21.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActiveRecord eagerly validates encryption configuration unnecessarily #46647
Comments
I think #44540 was meant to fix this. Do you still get the issue if you target the Rails |
Ah, sorry I did a search but had missed that one. Let me try! |
Reading through that PR it looks like it may have introduced some issues (see also #44873) if you have already used AR Encryption in production. Just be wary of that. |
Thanks for the heads up. Bit of a silly question.. It looks like that PR was merged into |
Rails 7.0 was released last year, so only select bug fixes automatically make it into 7.0.x releases. In this case it doesn't look like it's been backported so it is not in a release. It will definitely be in the next major (7.1). https://guides.rubyonrails.org/maintenance_policy.html explains how all this works. Generally the easiest way to check if it's going to be included in an existing release is to look at the |
I'm going to close this as it seems like the issue is resolved. Please open another issue if you come across any other problems! |
I am using AWS KMS for encryption with ActiveRecord::Encryption using a simple custom Key Provider (pasted below). As such, KMS generates my data keys and my intent is to not use the build-in ActiveRecord Key Generator. However, ActiveRecord is insisting I configure the
primary_key
,deterministic_key
, andkey_derivation_salt
.Steps to reproduce
encrypts :secret_field, key_provider: CustomKeyProvider.new
Expected behavior
Because I've chosen to replace Rails' built-in key generation, I would not expect to need to configure the encryption options in order to use ActiveRecord::Encryption. Configuring my application with a Rails
primary_key
creates confusion about exactly which key(s) are being used to encrypt my data.Given that encryption configuration appears to be optional in general, I would expect configuration errors to be raised lazily e.g. if and only if the Rails-default Key Provider was asked to generate a key without being properly configured.
Actual behavior
System configuration
Rails version: 7.0.4
Ruby version: 3.1.2
Custom Key Provider
The text was updated successfully, but these errors were encountered: