From 1def48fc227513b9e13d96754343aaf01a305031 Mon Sep 17 00:00:00 2001 From: Steve Laing Date: Thu, 18 Jan 2024 09:51:35 +0000 Subject: [PATCH] Update encryption docs Rails master key is not relevant to how we generate and store AR encryption secrets. --- docs/encryption.md | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/docs/encryption.md b/docs/encryption.md index 32a0c246..0d962892 100644 --- a/docs/encryption.md +++ b/docs/encryption.md @@ -5,15 +5,7 @@ The application uses [ActiveRecord Encryption](https://guides.rubyonrails.org/ac Application-level encryption ensures that we reduce the risk of leaking PII information should the database ever be compromised. -## Encryption keys - -Rails encrypts data using a key that is stored outside of version control. In deployed environments -we use the `RAILS_MASTER_KEY` environment variable to pass the key to the application. - -For local development, the key is stored in `config/master.key`. This file is not encrypted, so it -should be kept secret. - -## Rails DB encryption configuration +## Rails DB encryption keys configuration **Note:** We do not store db encryption keys in Rails credentials, as these cannot be easily set per hosting environment. @@ -25,7 +17,9 @@ config.active_record_encryption.deterministic_key config.active_record_encryption.key_derivation_salt ``` -The application reads these from environment variables populated either locally from `.env.local` or from the appropriate keyvault secret. +The application reads these from environment variables populated either locally from dotenv files, or from the appropriate keyvault secrets. + +## Generate ActiveRecord database encryption secrets To generate or regenerate these configuration values run: @@ -33,4 +27,4 @@ To generate or regenerate these configuration values run: Paste the resulting output to either your `.env.local` _and_ `.env.test.local` files. -If you are generating application secrets in Azure, amend this output to a valid YAML format for the appropriate keyvault. +If you are generating application secrets in Azure, amend this output to a valid YAML format and save in the appropriate keyvault.