Skip to content

Migrate application_settings.asset_proxy_secret_key to encrypts (step 1)

Rémy Coutablerequested to merge
538805-migrate-a-applicationsetting-attr_encrypted-attribute-to-activerecord-encryption-to-define into master

What does this MR do and why?

This code implements a migration from an older encryption method (attr_encrypted) to a newer encryption framework for the asset_proxy_secret_key attribute in the application settings. The changes introduce a new migrate_to_encrypts method that handles the transition between the two encryption systems while maintaining data integrity.

The implementation includes:

  1. A new database column (tmp_asset_proxy_secret_key) to store the data in the new encryption format
  2. A background migration job that copies encrypted data from the old format to the new one
  3. Methods to ensure both old and new encryption formats work during the transition period
  4. Tests to verify the migration works correctly

This approach allows for a gradual, non-disruptive transition between encryption frameworks while ensuring that existing encrypted data remains accessible throughout the process.

This follows (and actually apply it on a real use-case) the four-milestones process outlined at &15420. I plan to fine-tune the process based on how it goes with this first attribute migration (and keep improving the process with further attribute migrations).

References

How to set up and validate locally

In Rails console:

  1. Before running the migrations

    > as = ApplicationSetting.current
> as.attr_encrypted_asset_proxy_secret_key = 'foo'
> as.save!
ApplicationSetting Update (2.9ms)  UPDATE "application_settings" SET "updated_at" = '2025-05-02 10:08:57.441236', "encrypted_asset_proxy_secret_key" = '+ME6EFwWIsZAXcvnG/nF1A==', "encrypted_asset_proxy_secret_key_iv" = '9zMr2y+z8QOJqWPkC1VnQw==' WHERE "application_settings"."id" = 1

> as.asset_proxy_secret_key
=> "foo"
> as.attr_encrypted_asset_proxy_secret_key
=> "foo"
> as.tmp_asset_proxy_secret_key
=> nil

  2. After running the migrations

    > as = ApplicationSetting.current
> as.asset_proxy_secret_key = 'bar'
> as.save!
ApplicationSetting Update (0.7ms)  UPDATE "application_settings" SET "updated_at" = '2025-05-02 10:12:11.553042', "encrypted_asset_proxy_secret_key" = '05aOaenGUf5lf/o17nDwmA==', "encrypted_asset_proxy_secret_key_iv" = '75NjdRSM/+j6BFSaeCM1Qg==', "tmp_asset_proxy_secret_key" = '{"p":"DuemdN4=","h":{"iv":"GObErmk629ysOzEy","at":"V0zixjFxh5TT+ixHX0OYWA==","i":"YmIzMg=="}}' WHERE "application_settings"."id" = 1

> as.asset_proxy_secret_key
=> "bar"
> as.attr_encrypted_asset_proxy_secret_key
=> "bar"
> as.tmp_asset_proxy_secret_key
=> "bar"

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Rémy Coutable

Merge request reports