Open ram-nadella opened 3 years ago
We have switched to using Secret Config instead of using a config file at all. The data encryption keys are stored in the AWS Parameter Store and are encrypted using KMS.
The following code was added to config/application.rb
to support local testing vs deployed code:
unless Rails.env.development? || Rails.env.test?
config.secret_config.use :ssm, key_alias: "customer-kms", path: "/#{ENV['STACK_NAME']}/web"
end
@ram-nadella have you had a chance to see if the Secret Config approach above better suites you needs in the AWS environment? We are happy we made the switch since it is much easier to manage now, and we now retrieve all application settings from Secret Config at startup. If using Docker Images, Secret Config is a must have for externalizing configuration.
@reidmorrison thanks for following up on this.
We're using SecretsManager on AWS (provides a few nice things like access audit logs, secret rotation etc.) Ideally, we'd init symmetric-encryption
on load with a key from secrets manager, was thinking of ENV var as a more generalized way for others to reuse this method.
Issue # (if available)
https://github.com/rocketjob/symmetric-encryption/issues/149
Description of changes
AWS Keystore uses KMS for the key encryption key and data encryption key is local to the code / runtime. This change adds the option to provide the data encryption using an environment variable with existing file option as a fallback. This would allow for use cases where you don't want to put the keys on the filesystem
NOTE: this is still a work in progress; pushed a commit early to show potential approach, the data needed to build the env key is not available in the
read
method. Thinking adding a config key might be the way to go here. Also need to add tests.By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.