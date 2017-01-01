That feels like asking for troubles. I guess it would be okay if everything about the whole encryption system is 100% perfect, but what are the odds of that? If you've ever published a version of the encrypted secrets anywhere public and a bug in the way they use encryption is ever discovered, then all of your secrets are exposed, possibly for an unknown amount of time without you ever knowing. I don't see why you would bother with the risk and trouble when keeping them entirely secret seems much harder to mess up.
Pretty high? Encrypted secrets are used a lot for companies that host their version control system on-prem.
http://weblog.rubyonrails.org/2017/2/23/Rails-5-1-beta1/
> Encrypted secrets
> If you’re checking production passwords, API keys, and other secrets undisguised into your revision control system, you’re doing it wrong. That’s not safe and you should stop it! Now that’s an easy prescription, but without a coherent answer to what you should do instead, it’s also not that helpful.
> People have long been loading up the ENV to store these secrets or used a variety of other solutions. There are all sorts of trade-offs and drawbacks to the ENV-model, not least of which that you still need to store those secrets for real somewhere else.
> Inspired by Ara T. Howard’s sekrets gem, we’ve built encrypted secrets management into Rails 5.1. You can setup a new encrypted secrets file with bin/rails secrets:setup. That’ll generate a master key you’ll store outside of the repository, but allow you to commit the actual production secrets to your revision control. They’re then decrypted in production either through an injected key file or through RAILS_MASTER_KEY in the ENV.
We're doing encrypted secrets in config that get decrypt by aws kms on application startup and it's been working quite well for us.
Keeping config entirely separate from app source is the way to go. Encrypted configs is a specific version of that general anti-pattern.
Encrypted configs (and configs in source code itself) seem like a good idea at first, "I don't have to configure anything and it works in prod!" but it also means you can't flip any switches or rotate config without pushing a new version.
This also makes it difficult to stand up a parallel environment, say for reproducing a defect, as the configs are expected to be baked internally. You can't just pull out the release build and run it in a different environment with one or two variables tweaked.
> We're doing encrypted secrets in config that get decrypt by aws kms on application startup and it's been working quite well for us.
Using KMS solves the problem of where do you keep the key that locks the configs but they should still be kept externally from the app code. Depending on the scale of how you're deploying that could be a local file, an external secrets server, or just a blob on S3 (accessible via EC2 IAM roles).
