Migrate encrypted variables to new algorithm

Updated proposal 2023-04-23 per comments:

Due to impending upgrade to Rails 7, we will hold off on this issue and implement rails native encryption.

Original issue:

we're currently using outdated, insecure and recommended-against settings for encrypting CI variables.

Context:

A bug was discovered in Encryptor v2.0.0 that incorrectly set the IV when using an AES-*-GCM algorithm.

We should look into migrating those to the recommended encryption algorithm. This won't be straightforward since we need to decrypt the current values with the old version of the encryptor then re-encrypt everything with the new settings and encryptor. This would need to happen in a background migration.

Instructions for upgrading to attr-encrypted v3.0.0 - https://github.com/attr-encrypted/attr_encrypted#upgrading-from-attr_encrypted-v2x-to-v3x

Instructions for upgrading to Encryptor v3.0.0 - https://github.com/attr-encrypted/encryptor#upgrading-from-v200-to-v300

Edited Apr 14, 2023 by Jocelyn Eillis