Closed ThisIsMissEm closed 6 years ago
reidmorrison
commented
6 years ago Symmetric Encryption supports both environment variables and Heroku directly. Look for the Heroku option when generating the configuration file: https://rocketjob.github.io/symmetric-encryption/configuration.html
ThisIsMissEm
commented
6 years ago The problem is with --envs ENVIRONMENTS, say I have a heroku pipeline setup with production and release apps, in order to instruct symmetric-encryption which keys to use for which app, I need to pass RAILS_ENV=production or RAILS_ENV=release, this is problematic because heroku thinks that release isn't a production-like environment. Additionally anything that does optimisations for Rails.env.production? will consequently not be optimised in release but will be optimised in production
Hence wanting a way to have RAILS_ENV=production in both apps, but use different symmetric-encryption keys. As proposed, having a environment variable specifically for symmetric-encryption to use to understand it's environment.
edit: for clarity, I did use the heroku keystore option when I setup my app with symmetric-encryption. The issue is in this: (don't worry, those keys aren't in actual use)
test-symmetric-encryption $ symmetric-encryption --generate --keystore heroku --app-name my_app --environments "test,development,release,production"
********************************************************************************
Add the environment key to Heroku:
heroku config:add MY_APP_RELEASE_V1=Zgw02KnfY7+ONkLuZNYd+ddjt/jGlYzmFA4mJUujwlo14023FzH9w07IY1s4/ASG
Or, if using environment variables on another system set the environment variable as follows:
export MY_APP_RELEASE_V1="Zgw02KnfY7+ONkLuZNYd+ddjt/jGlYzmFA4mJUujwlo14023FzH9w07IY1s4/ASG"
********************************************************************************
********************************************************************************
Add the environment key to Heroku:
heroku config:add MY_APP_PRODUCTION_V1=JKShE9m/IzoguX4I0HYr6/oU3VGjPtz1dis5+aJB0o1gAxogXB5oX2cCnP7R1sKN
Or, if using environment variables on another system set the environment variable as follows:
export MY_APP_PRODUCTION_V1="JKShE9m/IzoguX4I0HYr6/oU3VGjPtz1dis5+aJB0o1gAxogXB5oX2cCnP7R1sKN"
********************************************************************************
New configuration file created at: test-symmetric-encryption/config/symmetric-encryption.ymlIn order to know if symmetric-encryption is meant to use MY_APP_PRODUCTION_V1 or MY_APP_RELEASE_V1, it defers to Rails.env, as far as I can tell: https://github.com/rocketjob/symmetric-encryption/blob/master/lib/symmetric_encryption/railtie.rb#L38
ThisIsMissEm
commented
6 years ago It's where the env at the end of this line comes from which is the problem: https://github.com/rocketjob/symmetric-encryption/blob/6668880e659672a5c724fd2db63c01cfb05590b7/lib/symmetric_encryption/config.rb#L76
reidmorrison
commented
6 years ago @ThisIsMissEm The above PR has been merged, does it sufficiently address the requirements above?
Currently we configuring symmetric-encryption, you can specify each of the environments that you have (e.g., say if you have a demo or staging environment). This works well, but there's an issue: The default way to determine which "environment" symmetric-encryption should use is to look at
Rails.envHowever, Heroku recommends against multiple "environments" (details), so in order to work nicely with heroku
Rails.envhas to be just "production"It seems that it'd be possible to read from something else, given the contents of railties
I'd like to field interest in setting up an
ENCRYPTION_ENVvariable as an alternative to useRails.env(i.e., env = ENV['ENCRYPTION_ENV'] || Rails.env).This way I could still have multiple encryption environments and still play nicely with heroku.