Merge pull request #219 from DFE-Digital/update-encryption-docs

Update encryption docs

docs/encryption.md

@@ -5,15 +5,7 @@ The application uses [ActiveRecord Encryption](https://guides.rubyonrails.org/ac
 Application-level encryption ensures that we reduce the risk of leaking PII information should
 the database ever be compromised.
 
-## Encryption keys
-
-Rails encrypts data using a key that is stored outside of version control. In deployed environments
-we use the `RAILS_MASTER_KEY` environment variable to pass the key to the application.
-
-For local development, the key is stored in `config/master.key`. This file is not encrypted, so it
-should be kept secret.
-
-## Rails DB encryption configuration
+## Rails DB encryption keys configuration
 
 **Note:** We do not store db encryption keys in Rails credentials, as these cannot be easily set per hosting environment.
 
@@ -25,12 +17,14 @@ config.active_record_encryption.deterministic_key
 config.active_record_encryption.key_derivation_salt
 ```
 
-The application reads these from environment variables populated either locally from `.env.local` or from the appropriate keyvault secret.
+The application reads these from environment variables populated either locally from dotenv files, or from the appropriate keyvault secrets.
+
+## Generate ActiveRecord database encryption secrets
 
 To generate or regenerate these configuration values run:
 
 `bin/rails setup_db_encryption`
 
 Paste the resulting output to either your `.env.local` _and_ `.env.test.local` files.
 
-If you are generating application secrets in Azure, amend this output to a valid YAML format for the appropriate keyvault.
+If you are generating application secrets in Azure, amend this output to a valid YAML format and save in the appropriate keyvault.