Error generating keys
kevintyll opened this issue · comments
Starting in v3.9.0, I am getting
No such file or directory @ rb_sysopen - /etc/rails/keys/esp_web_appliance.key (Errno::ENOENT)
from /evident/saasmin/vendor/bundle/ruby/2.4.0/gems/symmetric-encryption-3.9.0/lib/symmetric_encryption/cipher.rb:599:in `open'
from /evident/saasmin/vendor/bundle/ruby/2.4.0/gems/symmetric-encryption-3.9.0/lib/symmetric_encryption/cipher.rb:599:in `read_from_file'
when running bin/rails generate symmetric_encryption:new_keys appliance after already having run bin/rails generate symmetric_encryption:config #{KEYS_PATH} -s
The problem is the introduction of a raise in https://github.com/rocketjob/symmetric-encryption/blob/v3.9.1/lib/symmetric_encryption/cipher.rb#L602 in read_from_file
Has the method of generating keys changed, documentation still says to run these 2 generators, or has a chicken and egg situation been introduced? Once the .yml file has been generated, the new_keys generator now throws an error when it tries to read the keys from the path defined in the .yml file that have not yet been generated. In <= 3.8.3 it silently failed read_from_file and continued on to generate the keys.
The code in master has been refactored, but I believe the same issue exists as an error is still being raised.
https://github.com/rocketjob/symmetric-encryption/blob/master/lib/symmetric_encryption/keystore/file.rb#L32
On a side note, a CHANGELOG file would have been very helpful in focusing my debugging efforts. It took me 4 hours of code splunking before I noticed the raise had been added.
I am currently working on v4 that no longer uses a Rake task, since it was causing problems because it wants to load the environment (and therefore the keys ) before it has a chance to run the code to create the file.
v4 uses a CLI that @amedeiros created and adds more functionality around key rotation. Unfortunately v4 (master) still needs a lot of work before it is ready for use. At least another week or two before it can be used.
Our operations team mentioned they had to do something with our last key rotation due to the chicken and the egg problem.
For now try copying the old key file into the new file before running the generate command so that has something to load. Or, is this with a brand new installation?
I tried creating a new rails app and generated new keys for it using v3.9.1.
Create the config file:
rails generate symmetric_encryption:config keys
Symmetric Encryption config not found.
To generate one for the first time: bin/rails generate symmetric_encryption:config
create config/symmetric-encryption.yml
Generate the keys:
rails generate symmetric_encryption:new_keys production
Please copy keys/rails5_production.key to the other servers in production.
Please copy keys/rails5_production.iv to the other servers in production.
The only way I could get it to fail with the above error is if the target directory does not exist or is not writable by the current user.
When the directory did not exist it generated the following exception:
rails generate symmetric_encryption:new_keys production
/Users/rmorrison/.rvm/gems/ruby-2.4.1/gems/symmetric-encryption-3.9.1/lib/symmetric_encryption/cipher.rb:608:in `initialize': No such file or directory @ rb_sysopen - keys/rails5_production.key (Errno::ENOENT)
from /Users/rmorrison/.rvm/gems/ruby-2.4.1/gems/symmetric-encryption-3.9.1/lib/symmetric_encryption/cipher.rb:608:in `open'
from /Users/rmorrison/.rvm/gems/ruby-2.4.1/gems/symmetric-encryption-3.9.1/lib/symmetric_encryption/cipher.rb:608:in `write_to_file'
from /Users/rmorrison/.rvm/gems/ruby-2.4.1/gems/symmetric-encryption-3.9.1/lib/symmetric_encryption/cipher.rb:128:in `generate_random_keys'
from /Users/rmorrison/.rvm/gems/ruby-2.4.1/gems/symmetric-encryption-3.9.1/lib/symmetric_encryption/symmetric_encryption.rb:280:in `generate_symmetric_key_files'
from /Users/rmorrison/.rvm/gems/ruby-2.4.1/gems/symmetric-encryption-3.9.1/lib/rails/generators/symmetric_encryption/new_keys/new_keys_generator.rb:9:in `create_config_file'
It would be useful if it automatically created the directly if it did not exist.
So seeing this response gave me pause. But think further, I believe the difference here is, you are running the command locally so RAILS_ENV is probably development. So when the keys are generated, and the env is loaded, it's using the development section of the symmetric-encryption.yml file which does not use the key file. That makes sense.
In my case, we are deploying our product on a private cloud instance and have to generate new keys the first time the app starts up on a deployed instance. The RAILS_ENV is already set to appliance, which is comparable to production, which does use key files. So when the keys are generated in my case, it's reading the appliance section of symmetric-encryption.yml which does have keys, which do not yet exist, so errors out.
Knowing this now, I could likely set RAILS_ENV=development when I make the call to generate the keys. I would then have to adjust the script to copy the newly generated keys into the right place whereas they are generated in the correct path now.
Does this sound reasonable, or does this workflow prompt a change in the gem I should wait for. Or rather, it sounds like V4 will not have this issue?
I can wait for V4 if it will address this. For now I am locking the gem down to 3.8.3.
Will V4 introduce a CHANGELOG? That would be a huge win for us as well. We tend to not use a gem that does not keep a CHANGELOG. Your gems have been the exception since we've been using them for years, and really like them, and we know you. :)
Highly recommend you checkout the master branch which will become v4. It replaces the above rake commands with a command line interface. It also generates the config file and encryption keys in a single step.
Also see: https://rocketjob.github.io/symmetric-encryption/cli.html
https://rocketjob.github.io/symmetric-encryption/configuration.html
Let me know if you run into any issues.
v4 of Symmetric Encryption is now at beta3 and includes an all new CLI that addresses the above issues.