Improving the Rails Guide around setting up Active Record Encryption

2023-09-07 08:09:14 -04:00 · 2023-09-07 08:09:14 -04:00 · 2ccc2c2fe2
commit 2ccc2c2fe2
parent 5415d3a19a
1 changed files with 9 additions and 1 deletions
--- a/guides/source/active_record_encryption.md
+++ b/guides/source/active_record_encryption.md
@ -29,7 +29,7 @@ But more importantly, by using Active Record Encryption, you define what constit

 ### Setup

-First, you need to add some keys to your [Rails credentials](/security.html#custom-credentials). Run `bin/rails db:encryption:init` to generate a random key set:
+Run `bin/rails db:encryption:init` to generate a random key set:

 ```bash
 $ bin/rails db:encryption:init
@ -41,6 +41,14 @@ active_record_encryption:
  key_derivation_salt: xEY0dt6TZcAMg52K7O84wYzkjvbA62Hz
 ```

+These values can be stored by copying and pasting the generated values into your existing [Rails credentials](/security.html#custom-credentials). Alternatively, these values can be configured from other sources, such as environment variables:
+
+```ruby
+config.active_record.encryption.primary_key = ENV['ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY']
+config.active_record.encryption.deterministic_key = ENV['ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY']
+config.active_record.encryption.key_derivation_salt = ENV['ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT']
+```
+
 NOTE: These generated values are 32 bytes in length. If you generate these yourself, the minimum lengths you should use are 12 bytes for the primary key (this will be used to derive the AES 32 bytes key) and 20 bytes for the salt.

 ### Declaration of Encrypted Attributes