在 Rails 5.2 中单独的 secret_key_base ? [英] Separate secret_key_base in Rails 5.2?

问题描述

我刚刚从 5.1 升级到 5.2，我对这种更好"的机密存储方法感到很困惑...

I just upgraded from 5.1 to 5.2 and I'm quite confused about this 'better' methodology to storing secrets...

也许我不明白，但现在开发和生产似乎已经合并"到一个单一的 SECRET_KEY_BASE 和 master.key...这是正确的吗?

Maybe I'm not understanding, but it seems like now development and production have been 'merged' into a SINGLE SECRET_KEY_BASE as well as master.key... is this correct?

如果没有，我如何在开发中使用单独的主密钥和 SECRET_KEY_BASE?

If not, how do I use a separate master key and SECRET_KEY_BASE in development?

如果我有开发人员帮助我并且我不希望他们知道我在生产中使用的主密钥(或秘密)怎么办?

What if I have developers helping me and I don't want them to know my master key (or secrets) I use in production?

推荐答案

Rails 5.2 改变了很多.对于开发和测试环境，secret_key_base 是自动生成的，因此您可以将其从 secrets.yml 或您设置的任何位置删除.

Rails 5.2 changed this quite a bit. For development and test enivoronments, the secret_key_base is generated automatically, so you can just remove it from secrets.yml or wherever you have it set.

至于生产，您可以通过运行 rails credentials:edit 生成和编辑凭据文件.这还将在 config/master.key 中创建主密钥，该密钥仅用于加密和解密此文件.将此添加到 gitignore 以便它不会与其他任何人共享，这应该注意与其他开发人员共享.

As for production, there is the credentials file which you can generate and edit it by running rails credentials:edit. This will also create the master key in config/master.key which is only used for encrypting and decrypting this file. Add this to gitignore so it's not shared with anyone else, which should take care of sharing it with fellow devs.

如果所有这些听起来有点乏味，而且确实如此，那么您可以忽略它并在 ENV 中提供 secret_key_base.Rails 会在抱怨之前检查它是否存在于 ENV["SECRET_KEY_BASE"] 中.

If all of this sounds a bit tedious, and it is, you can just ignore it and provide the secret_key_base in ENV. Rails will check if it's present in ENV["SECRET_KEY_BASE"] before it complains.

这篇关于在 Rails 5.2 中单独的 secret_key_base ?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！