Project

rails_master_key_kms_decrypter

0.0
No commit activity in last 3 years
No release in over 3 years
rails_master_key_kms_decrypteralpaca-tc/rails_master_key_kms_decrypterHomepageDocumentationSource CodeBug TrackerWiki
AWS KMS decryption for rails credentials
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
5,039
Stars
2
Forks
2
Watchers
2
 Releases
Current version
0.1.1
Total releases
2
First release
2018-02-22
Latest release
2018-04-09
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
4
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Licenses
MIT
Average date of last 50 commits
2018-03-21
Reverse Dependencies
0

 Dependencies

Development

bundler
~> 1.16
rake
~> 10.0
rspec
~> 3.0
rubocop
>= 0

Runtime

aws-sdk-kms
>= 0
rails
>= 5.2.0.rc1
 Project Readme

Build Status

RailsMasterKeyKmsDecrypter

Dynamic decryptier of encrypted config/master.key on EC2.

Rails5.2 introduced encrypted credentials 🙌

The key, located on config/master.key is created when you run rails new. It doesn't get committed to your repository.

If you using AWS and this gem, you can encrypt config/master.key to commit it. After encryping the key, the encrypted key will be saved to config/master.key.enc.

The default rails credential decryptor decrypts config/credentials.yml.enc from raw master key. After adding this gem, rails decrypts it from encrypted master key.

Installation

Add this line to your application's Gemfile:

gem 'rails_master_key_kms_decrypter' # Recommended: `group: 'production'`

Usage

Rails Application

1. Get your KMS key-id from AWS

Create the key at your region on KMS

2. Encrypt your master.key or RAILS_MASTER_KEY

Encrypt your config/master.key

# Create `config/master.key.enc`
aws kms encrypt --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --plaintext fileb://config/master.key --output text --query CiphertextBlob > config/master.key.enc
git add config/master.key.enc
git commit

# or define `ENCRYPTED_RAILS_MASTER_KEY`
ENCRYPTED_RAILS_MASTER_KEY=$(aws kms encrypt --key-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx --plaintext fileb://config/master.key --output text --query CiphertextBlob)

3. Try to decrypt encrypted credentials

When rails credential decryption is succeeded, rails_master_key_kms_decrypter is ready.

ENCRYPTED_RAILS_MASTER_KEY=... ./bin/rails runner 'Rails.application.credentials.config.present? ? puts("👍") : puts("👎")'

AWS resource

1. Create the policy to allow access to KMS

Create policy

# Resource is your key
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": "kms:Decrypt",
      "Resource": "arn:aws:kms:ap-northeast-1:012345678900:key/1234567a-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    }
  ]
}

2. Create the role to allow access to KMS

Create role Choose your resource and attach the policy from before.

3. Attach IAM role to EC2

Create EC2 and deploy your application.

RailsMasterKeyKmsDecrypter need region information. Please set ENV["AWS_REGION"] or ENV["RAILS_MASTER_KEY_KMS_DECRYPTER_AWS_REGION"].

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/alpaca-tc/rails_master_key_kms_decrypter.

License

The gem is available as open source under the terms of the MIT License.