Rails Secrets の歴史

Transcript

1. Rails Secrets ͷྺ࢙ Ebisu.rb #19

2. @yutadayo • ງҪ ༤ଠ • ݩ Fablic, inc CTO •

   Ebisu.rb ͷΦʔΨφΠβʔ͍ͯ͠·͢

3. ࠓ೔࿩͢͜ͱ ɾRails ͷ version ຖͷൿಗ৘ใͷऔΓѻ͍ʹ͍ͭͯ ɾRails 6.0 Ͱ credentials ͕Ͳ͏ͳΔ͔

4. ൿಗͳ৘ใ ɾDB ͷ password ɾ֎෦ API KEY ɾtwitter / facebook

   ͳͲͷ secrets key / token ɾetc…

5. ػີ৘ใ͸ϋʔυίʔυ͢Δ ΂͖Ͱͳ͍

6. ͱ͸͍͑ • .env Λ chef ΍ ansible ͳͲͰ഑ͬͨΓ… • σϓϩΠલʹ؀ڥม਺Λαʔό΁௥Ճͨ͠Γ…

   • ΤϯδχΞ͕૿͑ͨࡍʹΞΫηεΩʔ౉ͨ͠Γ… • ҉߸Խ͞Εͯͳ͍ϑΝΠϧ͸ؾΛ࢖Θͳ͍ͱ….

7. ਏ͍

8. Rails 4.1 ʙ

9. None

10. ಺༰ͷ҉߸Խ͸ɺ·ͨผखஈ͕ ඞཁ • https://github.com/joker1007/yaml_vault • https://github.com/ahoward/sekrets

11. Rails 5.1

12. None

13. Rails5.1 ͔Β Encrypted secrets ͕௥Ճ $ rails secrets:setup Adding config/secrets.yml.key

    to store the encryption key: 01234567890abcdefghijklmnopqrstu Save this in a password manager your team can access. If you lose the key, no one, including you, can access any encrypted secrets. create config/secrets.yml.key

14. Encrypted secrets • ൿಗ৘ใΛ҉߸Խͨ͠ঢ়ଶͰgit؅ཧͰ͖Δ • ؀ڥม਺ͷ RAILS_MASTER_KEY or config/ secrets.yml.key

    Ͱ෮߸ԽͰ͖Δ • ैདྷͷ secrets.yml ͷΑ͏ʹ؀ڥຖʹઃఆͰ͖ Δ

15. Rails 5.2

16. None
17. None

18. ͞ΑͳΒ Encrypted secrets

19. Credentials • ൿಗ৘ใΛ҉߸Խͨ͠ঢ়ଶͰgit؅ཧͰ͖Δ • ؀ڥม਺ͷ RAILS_MASTER_KEY or config/ master.key Ͱ෮߸ԽͰ͖Δ

    • credentials.yml.enc ϑΝΠϧͰൿಗ৘ใ؅ཧ

20. มߋ఺ &ODSZQUFE
    TFDSFUT
 3BJMT $SFEFOUJBMT
    3BJMT TFU
    VQ SBJMT
    TFDSFUTTFUVQ  FEJU SBJMT
    TFDSFUTFEJU

    SBJMT
    DSFEFOUJBMTFEJU TIPX SBJMT
    TFDSFUTTIPX SBJMT
    DSFEFOUJBMTTIPX VTF 3BJMTBQQMJDBUJPOTFDSFUTYYYY 3BJMTBQQMJDBUJPODSFEFOUJB MTYYY FODSZQUFE
    pMF DPOpHTFDSFUTZNMFOD DPOpHDSFEFOUJBMTZNMFOD EFDSFQJU
    LFZ DPOpHTFDSFUTZNMLFZ DPOpHNBTUFSLFZ

21. Credentials ͷඍົͳॴ

22. GSPN
    IUUQTHJUIVCDPNSBJMTSBJMTQVMM

23. ؀ڥຖͷઃఆ͕Ͱ͖ͳ͍ • Rails.application.secrets Ͱ secrets.yml ͸·ͩࢀরՄೳ • credentials.yml.enc Λ؀ڥຖʹॻ͖෼͚Δͷ΋ҰԠͰ͖ Δɺࢀর࣌ʹenvΛࢦఆ͠ͳ͍ͱ͍͚ͳ͍

    • Rails.application.credentials[Rails.env.to_sym] [:api_key] • gem Λ࢖ͬͯղܾ΋Ͱ͖Δ • https://github.com/sinsoku/rails-env-credentials

24. GSPN
    IUUQTHJUIVCDPNSBJMTSBJMTQVMM

25. Rails 6.0 ͔Β͸؀ڥຖʹ credentials ΛઃఆͰ͖ΔΑ͏ʹ ͳΓͦ͏…!

26. ࢼͯ͠ΈΔ

27. $ EDITOR=vim bundle exec rails credentials:edit -—environment staging Adding config/credentials/staging.key

    to store the encryption key: 01234567890abcdefghijklmnopqrstu Save this in a password manager your team can access. If you lose the key, no one, including you, can access anything encrypted with it. create config/credentials/staging.key Ignoring config/credentials/staging.key so it wont’s end up in Git append .gitignore File encrypted and saved. $ ls -l config/credentials staging.key staging.yml.enc

28. • credentials σΟϨΫτϦ͕ੜ੒͞Εɺ؀ڥຖͷ key ͱ encrypted file ͕ੜ੒͞ΕΔ • ͦΕͧΕͷ

    key ͕ .gitignore ϑΝΠϧʹ௥Ճ͞ΕΔ • ԼهͷઃఆΛม͑Δ͜ͱͰɺkey ͱ encrypted file ͷੜ ੒ઌΛࢦఆͰ͖ΔΑ͏Ͱ͢ • config.credentials.content_path • config.credentials.key_path • ؀ڥม਺͸ ENV[“RAILS_MASTER_KEY”] ͷΈ ݁Ռ

29. ·ͱΊ • Rails6͔Β؀ڥຖʹൿಗ৘ใΛ҉߸Խͯ͠؅ཧͰ͖ͦ͏ • Rails5ܥͰ৽͘͠؀ڥຖʹ஋Λઃఆ͠Α͏ͱͯ͠Δਓ ͸଴ͬͨํ͕͍͍͔΋ʁ • RAILS_MASTER_KEY ͷ؅ཧ͸ඞཁͳͷͰɺσϓϩΠͷ ࢓૊Έ͸Ҿ͖ଓ͖ߟ͑ͳ͍ͱ͍͚ͳ͍