ankane/blind_index

Updating to 2.0

MattDHill opened this issue · 5 comments

I'm updating to from 1.0.1 to 2.0.1. Should I maintain separate keys for lockbox and blind_index, or is there a way to combine according to enhanced integration?

Hey @MattDHill, using separate keys is 100% fine.

However, if you really want to combine them, you'll need to rotate one of them to the other's master key. It's typically easier to rotate Lockbox since it doesn't require creating a new column. Here are instructions for Lockbox: https://github.com/ankane/lockbox#key-rotation. Be sure to use master_key instead of key in previous_versions.

I'm sure others will have this same question, so here's a quick breakdown. Examples use environment variables, but it's a similar process even if you don't.

  1. Prep your models for rotation
class User < ApplicationRecord
  encrypts :name, :email, previous_versions: {master_key: ENV["LOCKBOX_MASTER_KEY"]}
end
  1. Change your Lockbox master key in an initializer (new records/updates will be encrypted with this master key)
Lockbox.master_key = ENV["BLIND_INDEX_MASTER_KEY"]
  1. Rotate each of your models
Lockbox.rotate(User, attributes: [:name, :email])
  1. Remove previous_versions from your models

  2. (environment variables only) Rename ENV["BLIND_INDEX_MASTER_KEY"] to ENV["LOCKBOX_MASTER_KEY"] and delete the Lockbox.master_key = "..." line

Awesome, TY

I assume step 2 would go in a config/initializers/lockbox.rb file?

Also, I can then safely delete the old "LOCKBOX_MASTER_KEY" environment variable, correct?

Yeah, updated for clarity. You'll want to keep the original ENV["LOCKBOX_MASTER_KEY"] until after step 4 in the example above (since it's used directly in the model).