Rails 7 encryption configuration not correctly set

Question

I am trying to migrate a project from attr_encrypted to Rails 7 encryption. The testing that I am doing right now is only on the development & test environments, so migrating data is not necessary for now.

The steps that I did were:

1. changing everything from attr_encrypted syntax to encrypts
2. running bin/rails db:encryption:init and adding these values into the development & test credentials 2.1. I also tried using RAILS_ENV=test bin/rails db:encryption:init and putting those into the test credentials, in case the different dbs needed different values

The issue that I am having right now is that whenever I run the tests (which start with a clean db) I get this error:

ActiveRecord::Encryption::Errors::Configuration:
        key_derivation_salt is not configured. Please configure it via credential active_record_encryption.key_derivation_salt or by setting config.active_record.encryption.key_derivation_salt

Although if I go into Rails console I do get the values:

 Credentials[:active_record_encryption]
=> {:primary_key=>"T..", :deterministic_key=>"k..", :key_derivation_salt=>"6.."}

In a desperate attempt to fix this issue or at least see what helps, I added to the environments Ruby files these lines:

config.active_record.encryption.key_derivation_salt = Credentials[:active_record_encryption][:key_derivation_salt]
  config.active_record.encryption.primary_key = Credentials[:active_record_encryption][:primary_key]
  config.active_record.encryption.deterministic_key = Credentials[:active_record_encryption][:deterministic_key]

This seems to fix the error, but the tests fail because it seems like it is decrypting the values as nil (tests were previously passing ofc)

Am I missing a configuration step?

I think that these null values come from not updating them inside the database? How would I do that?

Also, is there any other way so I do not need to add these lines into the environment files? It seems kind of redundant.

Answer 1

First run this command

bin/rails db:encryption:init

This will generate the following

Add this entry to the credentials of the target environment: 

active_record_encryption:
  primary_key: Q3TJUKuOUGSZmgqaD2WZ72pQdg5Rikfn
  deterministic_key: lYew1Q7BE98tDXdqytP3iwvJcu8dYulX
  key_derivation_salt: 9REysw2kZuLybtKjtJsIZHg8cTd2DyMT

Add the following config in application.rb

config.active_record.encryption.primary_key = ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY']
config.active_record.encryption.deterministic_key = ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY']
config.active_record.encryption.key_derivation_salt = ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT']

You can either add this config/credentials/local.yml.enc

Then you can configure this by following.

config.credentials.content_path = 'config/credentials/local.yml.enc'

OR

config.active_record.encryption.primary_key = Rails.application.credentials[:active_record_encryption][:primary_key]
config.active_record.encryption.deterministic_key = Rails.application.credentials[:active_record_encryption][:deterministic_key]
config.active_record.encryption.key_derivation_salt = Rails.application.credentials[:active_record_encryption][:key_derivation_salt]

Ref Link: https://guides.rubyonrails.org/active_record_encryption.html

https://www.freshworks.com/eng-blogs/managing-rails-application-secrets-with-encrypted-credentials-blog/