The application uses ActiveRecord Encryption to encrypt sensitive data.
Application-level encryption ensures that we reduce the risk of leaking PII information should the database ever be compromised.
Rails encrypts data using a key that is stored outside of version control. In deployed environments we use the RAILS_MASTER_KEY environment variable to pass the key to the application.
For local development, the key is stored in config/master.key
. This file is not encrypted, so it
should be kept secret.
To gain access to this key, you can call make dev print-keyvault-secret | grep RAILS_MASTER_KEY
and
then copy the value from the output to your local config/master.key
file.
There may be a reason to rotate the encryption key in the future. See this guide for the details.
ActiveRecord Encryption supports a list of keys. It uses the last key in the list for encrypting data and will try all the keys in the list for decrypting until one works.
To add a new key to the list, make sure you have the correct value set in config/master.key
. Then...
bin/rails credentials:edit
Add a new key to the list and then save the file. This will mutate the config/credentials.yml.enc
file.
Commit these changes to the repo and deploy.