问题
I just upgraded from 5.1 to 5.2 and I'm quite confused about this 'better' methodology to storing secrets...
Maybe I'm not understanding, but it seems like now development and production have been 'merged' into a SINGLE SECRET_KEY_BASE
as well as master.key
... is this correct?
If not, how do I use a separate master key and SECRET_KEY_BASE
in development?
What if I have developers helping me and I don't want them to know my master key (or secrets) I use in production?
回答1:
Rails 5.2
changed this quite a bit. For development and test enivoronments, the secret_key_base is generated automatically, so you can just remove it from secrets.yml
or wherever you have it set.
As for production, there is the credentials file which you can generate and edit it by running rails credentials:edit
. This will also create the master key in config/master.key
which is only used for encrypting and decrypting this file. Add this to gitignore
so it's not shared with anyone else, which should take care of sharing it with fellow devs.
If all of this sounds a bit tedious, and it is, you can just ignore it and provide the secret_key_base in ENV. Rails will check if it's present in ENV["SECRET_KEY_BASE"]
before it complains.
回答2:
There are two ways to access secret_key_base:
- Rails.application.credentials.secret_key_base
- Rails.application.secrets.secret_key_base
Rails 5 took the first way by default.
you can change Rails.application.credentials.secret_key_base
by rails credentials:edit
. for all other environments, remember to set environment variable RAILS_MASTER_KEY
to be the same content of config/master.key
. the master.key
is git ignored by default. this way uses the same secret key for all environments. if you want to use different keys, you need to control namespaces by yourself.
If you prefer the second way Rails.application.secrets.secret_key_base
. you need to create config/secrets.yml
:
development:
secret_key_base: ...
test:
secret_key_base: ...
production:
secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
remember to set environment variable SECRET_KEY_BASE
on production.
if config/secrets.yml
file is secret enough, changing <%= ENV["SECRET_KEY_BASE"] %>
to plain text is fine.
rake secret
can generate a random secret key for you.
I prefer the second way(old way), because of simple.
回答3:
I used this gem when I didn't want to share the production master.key with my friend developers which I think is the exact same purpose as the OP.
https://github.com/sinsoku/rails-env-credentials
You can have a master key for each evironment as below, so you can have a discretion as to which key you want to share with which developers/deployers.
config/credentials-development.yml.enc
config/credentials-test.yml.enc
config/credentials.yml.enc
master-development.key
master-test.key
master.key
Each key will be generated when you first run something like:
rails env_credentials:edit -e development
If you switch from one master.key setup to this, one error you might encounter will be related to config/database.yml in which Rails tries to evaluate all environment information no matter which environment you are on. (Even if you comment them out, Rails still tries to evaluate the erb parts.)
来源:https://stackoverflow.com/questions/49782241/separate-secret-key-base-in-rails-5-2