[ci skip] Add changelog entry for #28139.

Includes a script to ease an app's upgrade.
author: Kasper Timm Hansen <kaspth@gmail.com> 2017-03-02 20:11:57 +0100
committer: Kasper Timm Hansen <kaspth@gmail.com> 2017-03-02 20:11:57 +0100
commit: 6a3235b78db3a878c342a9e2dc50f62157197e24 (patch)
tree: 95ce5ba32af13883391857dbb42defc0ec0393a1 /railties
parent: d22f8796919b2e8eeadce1d74ad4cf33f695e57e (diff)
download: rails-6a3235b78db3a878c342a9e2dc50f62157197e24.tar.gz
rails-6a3235b78db3a878c342a9e2dc50f62157197e24.tar.bz2
rails-6a3235b78db3a878c342a9e2dc50f62157197e24.zip
1 files changed, 16 insertions, 0 deletions
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 54bf0ec65e..327b6ab66d 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,19 @@
+*   Improve encryption for encrypted secrets.
+
+    Switch to aes-128-gcm authenticated encryption. Also generate a random
+    initialization vector for each encryption so the same input and key can
+    generate different encrypted data.
+
+    Double the encryption key entropy by properly extracting the underlying
+    bytes from the hexadecimal seed key.
+
+    NOTE: Since the encryption mechanism has been switched, you need to run
+    this script to upgrade:
+
+    https://gist.github.com/kaspth/bc37989c2f39a5642112f28b1d93f343
+
+    *Stephen Touset*
+
 ## Rails 5.1.0.beta1 (February 23, 2017) ##
 
 *   Add encrypted secrets in `config/secrets.yml.enc`.
author	Kasper Timm Hansen <kaspth@gmail.com>	2017-03-02 20:11:57 +0100
committer	Kasper Timm Hansen <kaspth@gmail.com>	2017-03-02 20:11:57 +0100
commit	6a3235b78db3a878c342a9e2dc50f62157197e24 (patch)
tree	95ce5ba32af13883391857dbb42defc0ec0393a1 /railties
parent	d22f8796919b2e8eeadce1d74ad4cf33f695e57e (diff)
download	rails-6a3235b78db3a878c342a9e2dc50f62157197e24.tar.gz rails-6a3235b78db3a878c342a9e2dc50f62157197e24.tar.bz2 rails-6a3235b78db3a878c342a9e2dc50f62157197e24.zip