Add encrypted secrets (#28038)

4 files changed, 78 insertions, 2 deletions

diff --git a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
index 4a39e43e57..9c4a77fd1d 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
+++ b/railties/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt
@@ -14,6 +14,11 @@ Rails.application.configure do
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
+  # Attempt to read encrypted secrets from `config/secrets.yml.enc`.
+  # Requires an encryption key in `ENV["RAILS_MASTER_KEY"]` or
+  # `config/secrets.yml.key`.
+  config.read_encrypted_secrets = true
+
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
diff --git a/railties/lib/rails/generators/rails/app/templates/config/secrets.yml b/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
index 8e995a5df1..816efcc5b1 100644
--- a/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
+++ b/railties/lib/rails/generators/rails/app/templates/config/secrets.yml
@@ -23,8 +23,10 @@ development:
 test:
   secret_key_base: <%= app_secret %>
 
-# Do not keep production secrets in the repository,
-# instead read values from the environment.
+# Do not keep production secrets in the unencrypted secrets file.
+# Instead, either read values from the environment.
+# Or, use `bin/rails secrets:setup` to configure encrypted secrets
+# and move the `production:` environment over there.
 
 production:
   secret_key_base: <%%= ENV["SECRET_KEY_BASE"] %>
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
new file mode 100644
index 0000000000..8b29213610
--- /dev/null
+++ b/railties/lib/rails/generators/rails/encrypted_secrets/encrypted_secrets_generator.rb
@@ -0,0 +1,66 @@
+require "rails/generators/base"
+require "rails/secrets"
+
+module Rails
+  module Generators
+    class EncryptedSecretsGenerator < Base
+      def add_secrets_key_file
+        unless File.exist?("config/secrets.yml.key") || File.exist?("config/secrets.yml.enc")
+          key = Rails::Secrets.generate_key
+
+          say "Adding config/secrets.yml.key to store the encryption key: #{key}"
+          say ""
+          say "Save this in a password manager your team can access."
+          say ""
+          say "If you lose the key, no one, including you, can access any encrypted secrets."
+
+          say ""
+          create_file "config/secrets.yml.key", key
+          say ""
+        end
+      end
+
+      def ignore_key_file
+        if File.exist?(".gitignore")
+          unless File.read(".gitignore").include?(key_ignore)
+            say "Ignoring config/secrets.yml.key so it won't end up in Git history:"
+            say ""
+            append_to_file ".gitignore", key_ignore
+            say ""
+          end
+        else
+          say "IMPORTANT: Don't commit config/secrets.yml.key. Add this to your ignore file:"
+          say key_ignore, :on_green
+          say ""
+        end
+      end
+
+      def add_encrypted_secrets_file
+        unless File.exist?("config/secrets.yml.enc")
+          say "Adding config/secrets.yml.enc to store secrets that needs to be encrypted."
+          say ""
+
+          template "config/secrets.yml.enc" do |prefill|
+            say ""
+            say "For now the file contains this but it's been encrypted with the generated key:"
+            say ""
+            say prefill, :on_green
+            say ""
+
+            Secrets.encrypt(prefill)
+          end
+
+          say "You can edit encrypted secrets with `bin/rails secrets:edit`."
+
+          say "Add this to your config/environments/production.rb:"
+          say "config.read_encrypted_secrets = true"
+        end
+      end
+
+      private
+        def key_ignore
+          [ "", "# Ignore encrypted secrets key file.", "config/secrets.yml.key", "" ].join("\n")
+        end
+    end
+  end
+end
diff --git a/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc b/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc
new file mode 100644
index 0000000000..70426a66a5
--- /dev/null
+++ b/railties/lib/rails/generators/rails/encrypted_secrets/templates/config/secrets.yml.enc
@@ -0,0 +1,3 @@
+# See `secrets.yml` for tips on generating suitable keys.
+# production:
+#  external_api_key: 1466aac22e6a869134be3d09b9e89232fc2c2289…