Merge pull request #305 from rubygems/colby/set-database-encryption-keys

Set ActiveRecord encryption keys
rubygems · Nov 1, 2024 · 582074a · 582074a
2 parents 591b1a8 + 00ef0ee
commit 582074a
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/config/deploy/production/secrets.ejson b/config/deploy/production/secrets.ejson
@@ -16,7 +16,10 @@
         "github_app_id": "EJ[1:zFzdMbOJMc0969knLIhVeYUJh1oPfj6QPGoGClZ2jms=:dkDD7o7eQ0D2O9e012lXn07d4zilt7ou:jmR05XNWkK8sCLqeH4psmXdoQ5gb]",
         "github_installation_id": "EJ[1:zFzdMbOJMc0969knLIhVeYUJh1oPfj6QPGoGClZ2jms=:XXEmmIWvA7lUfNS2X5fI66ai4PGEpnuT:83yvniyv9rnbFCG4y7laPM4LVLPojJY=]",
         "github_webhook_secret": "EJ[1:zFzdMbOJMc0969knLIhVeYUJh1oPfj6QPGoGClZ2jms=:0ZyMpTd5rIhwrKcJgHMpxPPTs40ngSzX:7/XwrqiCoGMrzw8NBrwNIGtpk7RkZxPedWVeVkAIugGqEZCiB2Z9FH4s2i5+LN6boN6LfodOUF8=]",
-        "github_private_key": "EJ[1:zFzdMbOJMc0969knLIhVeYUJh1oPfj6QPGoGClZ2jms=:7w7vtIR+tKaP2WKXaksspLFBc9P6GjAI:SEBX+AIeqCWOBoOZDSVjOIwnqlRLP3tJmrr2cBmv5AX0OBa4nXy0SuNF4pLcKBQ8/f6ErtYN1js4bCMhyAJrpRJoHH3JHOX9DnCk3X2yFkOk7oJ87mvsSuwBG3GHWTK46xjrYtO25xMcjkKoTbUgEq1nO6ObU693Qv3W2Uv//COlzm0NGFE049SIMFIboxX6/OIb7eGTTL6OhdoNTBtPw49w2DqwOSknF0KoAb8knXbwlNBJJxWEK3HxafsQ8g9xZ/ADUiB0/k6WQWlJQIhv2LVajvXK76pQMFT9WOSOY5kdaVEVpT9+Y6E0byJ82TWb+Dt4g7qCfdEAudaigvZD6J8vKy3yFEJOtiMmUCiyqZnOCsYzhy3HI3QzevsQksJ7b1wzmsBMto5WHDan1NigZnyMnfgbI+5MaNH2l6TYzvfXAEApwtApoKsjIPdw6Z6hcYGruwCk9e+6jjhKMDkk5FIoZ+N/SWvOgvcKtbdkAwOaiPCG07dKlLSWKMHsNyX636ESI3Ss2YM9vEWPbOMOplvvmH5Eef7WEAIh6wPcmht2vN0cS/161swbfKUv5WsZSsKbAw0zCRyG4OwSHh3+AJ8Iuf0qXLEWkwlZbliwXFbVW2fqiGxDKrxq9qpYlJBeLtypqXP/O/g7YufCwUvGECAxruBpW5iDi2XcdZARL14tWpwxXA+fFb+jjQdv/X9TqxkFy4PwVKBkdCnpmIVMDwvzEVdZdlFTy8q0ujPPjg3WIaSfZdhLcdignyOCtypgo7Tf1LRsosno6jv7Ux4j6YueEjUR7kCyivHG8nlocJayv6vgGuOq4vuIyfPY8dXWwklvjcGneNivovhGhkt46kYzwyT05SqtzWoYhDOoWq93chitHZ+Clp1eZnHHzWeqSWDXrp7d3OjBZ5lvB65ZC9wanXcM52YeIAH22Deu2/glz19Ea4MSnmAJgn4Yx7d5mVeuJBIcYLMFRIvBftmFfqp3SW5vCzYgX/bQFeCYGFi0ik3Pk8Js9iTIQ0ZfQ/pCpW4Qdh3ZZVNErj87jIogT80JgqJDOppTJ8x7P8zQHLrqFiUzR/1sq9pJL2/l9fbIxQEOdVzzpS5RQVUHdCZ5TziP0PjmxfmXaaFudrw49NxpY1NISSQQdruVF4cwzUHRj703MXwtysyXYBz1sovJ4kN6xPOCQt5yjSXjino8wZ9Yrab6C+57PSuhHnrhRHM+0d6XfSH+17MUWQu+G2hx8vSxbkDColXVhXl0g72WlD8shLhnjiMjL2Wgk8viwoje+LW+Bild35oDDjgt3Lf4AkHQfHY++4nmc/KYTgjB4mBillSSVD+SDdxMpsutVUoTFzgwF9FdLk7N8AGIyFgQZtnAqFSWdZFwcAxapjKDMNu+l/HWushvty3NsIpkvVBl3J5Li2dQNqssdH79Bt2uAlO6qY5ldR6ovdigv+SLGqYb/x8SlMVJGpHuId1MFhx8FgWBLo6iDwjMUkNov5yZzvgVVGsaJVsQLvdtLRaUFpGDOtkBRkfOgkHKweKobEclvUzIO8ZkKjKV6rbD0rY0GAjmWP1bTyzqIDVqbamdvS9zgQg4/UUYTPK5n/3xFlApxT0/DfjKfLq5e+uh5Ei2VZyt9XVbgWbpeRzanmH5Vs2F0zNMjlRrQ0QnizOyBWdDtTr5t9ssKEj+2ksXFH9i7oR7bmEGAEMn77G7TGwVmwUrJkSZBNLyQnlbw7AcWZL8y51HR+Egu3yBTb1JCafKqvN5Ykux6U29coNrp52XsbWMuYsILnaZUJ/LkvStLx3yaj3kkGPtBOu87jfOt7xT0MG0P5vDammn07thPzxUn7pOKxxZGj4mvsQHo0AGdnv45iQCt/aFv6fXtiMOdY8fLJhdNCAqUYYKOU04nq1IapVmLyFOgEZGffPWX5SJLkLOntq3N5BXn/aai8J2A968n1g5AiK0rM+ztdf2Hc7A3ASFpI1ObC9ZEiJy0y6ujZXfFyO+JIKdM7CzVZGoVGd+DZKcybgDEa99aeJuYg+9rzX6OXt9HfIHA8ZZv8RPVw0Sh4cRtQbGL5kjmXHfZT/taq4EnU4hyQO0TXMR55E1cs6V2gmx0j5/4ufZjF5vKPjg+w+9P22SoKgiv+rZFpbaCWTwknABjuFmVtn2OC+dLucNbYUHUkzW/CXXS+eWUfAuL4J0b7jdmk9D2QEThfEv/HRAP+Lhh5axkXuA09sg45zzIr5jqyq2kD48WE1qJc4YUf1EmsbJtSpHqvpt0H4=]"
+        "github_private_key": "EJ[1:zFzdMbOJMc0969knLIhVeYUJh1oPfj6QPGoGClZ2jms=:7w7vtIR+tKaP2WKXaksspLFBc9P6GjAI:SEBX+AIeqCWOBoOZDSVjOIwnqlRLP3tJmrr2cBmv5AX0OBa4nXy0SuNF4pLcKBQ8/f6ErtYN1js4bCMhyAJrpRJoHH3JHOX9DnCk3X2yFkOk7oJ87mvsSuwBG3GHWTK46xjrYtO25xMcjkKoTbUgEq1nO6ObU693Qv3W2Uv//COlzm0NGFE049SIMFIboxX6/OIb7eGTTL6OhdoNTBtPw49w2DqwOSknF0KoAb8knXbwlNBJJxWEK3HxafsQ8g9xZ/ADUiB0/k6WQWlJQIhv2LVajvXK76pQMFT9WOSOY5kdaVEVpT9+Y6E0byJ82TWb+Dt4g7qCfdEAudaigvZD6J8vKy3yFEJOtiMmUCiyqZnOCsYzhy3HI3QzevsQksJ7b1wzmsBMto5WHDan1NigZnyMnfgbI+5MaNH2l6TYzvfXAEApwtApoKsjIPdw6Z6hcYGruwCk9e+6jjhKMDkk5FIoZ+N/SWvOgvcKtbdkAwOaiPCG07dKlLSWKMHsNyX636ESI3Ss2YM9vEWPbOMOplvvmH5Eef7WEAIh6wPcmht2vN0cS/161swbfKUv5WsZSsKbAw0zCRyG4OwSHh3+AJ8Iuf0qXLEWkwlZbliwXFbVW2fqiGxDKrxq9qpYlJBeLtypqXP/O/g7YufCwUvGECAxruBpW5iDi2XcdZARL14tWpwxXA+fFb+jjQdv/X9TqxkFy4PwVKBkdCnpmIVMDwvzEVdZdlFTy8q0ujPPjg3WIaSfZdhLcdignyOCtypgo7Tf1LRsosno6jv7Ux4j6YueEjUR7kCyivHG8nlocJayv6vgGuOq4vuIyfPY8dXWwklvjcGneNivovhGhkt46kYzwyT05SqtzWoYhDOoWq93chitHZ+Clp1eZnHHzWeqSWDXrp7d3OjBZ5lvB65ZC9wanXcM52YeIAH22Deu2/glz19Ea4MSnmAJgn4Yx7d5mVeuJBIcYLMFRIvBftmFfqp3SW5vCzYgX/bQFeCYGFi0ik3Pk8Js9iTIQ0ZfQ/pCpW4Qdh3ZZVNErj87jIogT80JgqJDOppTJ8x7P8zQHLrqFiUzR/1sq9pJL2/l9fbIxQEOdVzzpS5RQVUHdCZ5TziP0PjmxfmXaaFudrw49NxpY1NISSQQdruVF4cwzUHRj703MXwtysyXYBz1sovJ4kN6xPOCQt5yjSXjino8wZ9Yrab6C+57PSuhHnrhRHM+0d6XfSH+17MUWQu+G2hx8vSxbkDColXVhXl0g72WlD8shLhnjiMjL2Wgk8viwoje+LW+Bild35oDDjgt3Lf4AkHQfHY++4nmc/KYTgjB4mBillSSVD+SDdxMpsutVUoTFzgwF9FdLk7N8AGIyFgQZtnAqFSWdZFwcAxapjKDMNu+l/HWushvty3NsIpkvVBl3J5Li2dQNqssdH79Bt2uAlO6qY5ldR6ovdigv+SLGqYb/x8SlMVJGpHuId1MFhx8FgWBLo6iDwjMUkNov5yZzvgVVGsaJVsQLvdtLRaUFpGDOtkBRkfOgkHKweKobEclvUzIO8ZkKjKV6rbD0rY0GAjmWP1bTyzqIDVqbamdvS9zgQg4/UUYTPK5n/3xFlApxT0/DfjKfLq5e+uh5Ei2VZyt9XVbgWbpeRzanmH5Vs2F0zNMjlRrQ0QnizOyBWdDtTr5t9ssKEj+2ksXFH9i7oR7bmEGAEMn77G7TGwVmwUrJkSZBNLyQnlbw7AcWZL8y51HR+Egu3yBTb1JCafKqvN5Ykux6U29coNrp52XsbWMuYsILnaZUJ/LkvStLx3yaj3kkGPtBOu87jfOt7xT0MG0P5vDammn07thPzxUn7pOKxxZGj4mvsQHo0AGdnv45iQCt/aFv6fXtiMOdY8fLJhdNCAqUYYKOU04nq1IapVmLyFOgEZGffPWX5SJLkLOntq3N5BXn/aai8J2A968n1g5AiK0rM+ztdf2Hc7A3ASFpI1ObC9ZEiJy0y6ujZXfFyO+JIKdM7CzVZGoVGd+DZKcybgDEa99aeJuYg+9rzX6OXt9HfIHA8ZZv8RPVw0Sh4cRtQbGL5kjmXHfZT/taq4EnU4hyQO0TXMR55E1cs6V2gmx0j5/4ufZjF5vKPjg+w+9P22SoKgiv+rZFpbaCWTwknABjuFmVtn2OC+dLucNbYUHUkzW/CXXS+eWUfAuL4J0b7jdmk9D2QEThfEv/HRAP+Lhh5axkXuA09sg45zzIr5jqyq2kD48WE1qJc4YUf1EmsbJtSpHqvpt0H4=]",
+        "active_record_encryption_primary_key": "EJ[1:Qmr5gwJIiMurrAsJN9lhPWIiuSIi7zHhykAg/JgrE2k=:ZZ+Ca/4GkkPx/3kmvOZ1LfPsvTMxAuZh:6m3BHI6OSKKW5RjyEB6nhhxIDVTbHzuq2F5hA/36flOVH6s3zxmn6CdV1e+xkT/Y8H3tZMB5WsqkYVCJS+GudQ56lGPA/i8aCEi7LXIClbc=]",
+        "active_record_encryption_deterministic_key": "EJ[1:Qmr5gwJIiMurrAsJN9lhPWIiuSIi7zHhykAg/JgrE2k=:mHqcPXVYOEhiDnRVchGTSaNhS2Tz/ZlQ:uotrPOzSESya+2A3QzMx6AVg7/06a72r+5WlWjrzg5XC6DcI58sO70Yp7aQuyd1cxSVLjh5SMenAYwaGBw4OXWtlbHkz7JG34t6wvaiJrz4=]",
+        "active_record_encryption_key_derivation_salt": "EJ[1:Qmr5gwJIiMurrAsJN9lhPWIiuSIi7zHhykAg/JgrE2k=:rH+5vMz0z3ukAN+DF2JxZxpryZwMIiZ4:PeUvySslYjscyYlN9q+DA6hEJvdkrn7oKpzPIg68bEsFMd/LpuVkP3Q6kmd/o2TEostuAY9ycGGUNF3l/4ie/o+OU+rsO3/dGjtky2PoM4I=]"
       }
     }
   }

diff --git a/config/deploy/production/sidekiq.yaml.erb b/config/deploy/production/sidekiq.yaml.erb
@@ -103,6 +103,21 @@ spec:
               secretKeyRef:
                 name: production
                 key: github_private_key
+          - name: ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+            valueFrom:
+              secretKeyRef:
+                name: production
+                key: active_record_encryption_primary_key
+          - name: ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+            valueFrom:
+              secretKeyRef:
+                name: production
+                key: active_record_encryption_deterministic_key
+          - name: ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+            valueFrom:
+              secretKeyRef:
+                name: production
+                key: active_record_encryption_key_derivation_salt
         securityContext:
           privileged: false
         volumeMounts:

diff --git a/config/secrets.yml b/config/secrets.yml
@@ -9,6 +9,10 @@ test:
     oauth:
   redis_url: redis://localhost
 production:
+  active_record_encryption:
+    primary_key: <%= ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY'] %>
+    deterministic_key: <%= ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY'] %>
+    key_derivation_salt: <%= ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT'] %>
   secret_key_base: <%= ENV['SECRET_KEY_BASE'] %>
   host: <%= ENV['SHIPIT_HOST'] %>
   github_api: