Encrypt Rails secrets - Discovery
We need to protect the secrets we use in Rails, as part of the project to separate all passwords and config. This is part of one of the most commonly requested features in Omnibus, to separate configuration and passwords: #2183 (closed)
Depending on the version of Rails 5, there are different options:
- Rails Encrypted Secrets (5.1): https://www.engineyard.com/blog/encrypted-rails-secrets-on-rails-5.1
- Rails Encrypted Credentials (5.2): https://www.engineyard.com/blog/rails-encrypted-credentials-on-rails-5.2
With the upgrade to Rails 5.0.7 planned for early %11.6 (https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/21492), and subsequent upgrades planned (https://gitlab.com/gitlab-org/gitlab-ce/issues/48392), we should investigate these solutions.
Proposal
- Evaluate the solutions noted above
- Determine impact on HA deployments
- Do we need to consider additional helper tooling?
- Can Consul help, is it worth looking into combining with Vault
- Determine effort involved in migrating between solutions (Encrypted Secrets is deprecated in 5.2)
- Do we need to we wait for 5.2? (No current ETA)
Output of this issue should be a concrete plan and architecture for achieving encryption of rails secrets.
Edited by 🤖 GitLab Bot 🤖