From 6a3235b78db3a878c342a9e2dc50f62157197e24 Mon Sep 17 00:00:00 2001
From: Kasper Timm Hansen <kaspth@gmail.com>
Date: Thu, 2 Mar 2017 20:11:57 +0100
Subject: [ci skip] Add changelog entry for #28139.

Includes a script to ease an app's upgrade.
---
 railties/CHANGELOG.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
index 54bf0ec65e..327b6ab66d 100644
--- a/railties/CHANGELOG.md
+++ b/railties/CHANGELOG.md
@@ -1,3 +1,19 @@
+*   Improve encryption for encrypted secrets.
+
+    Switch to aes-128-gcm authenticated encryption. Also generate a random
+    initialization vector for each encryption so the same input and key can
+    generate different encrypted data.
+
+    Double the encryption key entropy by properly extracting the underlying
+    bytes from the hexadecimal seed key.
+
+    NOTE: Since the encryption mechanism has been switched, you need to run
+    this script to upgrade:
+
+    https://gist.github.com/kaspth/bc37989c2f39a5642112f28b1d93f343
+
+    *Stephen Touset*
+
 ## Rails 5.1.0.beta1 (February 23, 2017) ##
 
 *   Add encrypted secrets in `config/secrets.yml.enc`.
-- 
cgit v1.2.3