Add further warnings about encryption secrets (#32476)

2024-10-14 15:00:20 +02:00 · 2024-10-14 15:00:20 +02:00 · ffa1032381
commit ffa1032381
parent cc70acc11c
2 changed files with 12 additions and 0 deletions
--- a/config/initializers/active_record_encryption.rb
+++ b/config/initializers/active_record_encryption.rb
@ -20,6 +20,7 @@
        - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY

      Run `bin/rails db:encryption:init` to generate new secrets and then assign the environment variables.
+      Do not change the secrets once they are set, as doing so may cause data loss and other issues that will be difficult or impossible to recover from.
    MESSAGE
  end

--- a/lib/tasks/db.rake
+++ b/lib/tasks/db.rake
@ -7,6 +7,17 @@ namespace :db do
  namespace :encryption do
    desc 'Generate a set of keys for configuring Active Record encryption in a given environment'
    task :init do # rubocop:disable Rails/RakeEnvironment
+      if %w(
+        ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+        ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+        ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+      ).any? { |key| ENV.key?(key) }
+        pastel = Pastel.new
+        puts pastel.red(<<~MSG)
+          WARNING: It looks like encryption secrets have already been set. Please ensure you are not changing secrets for a Mastodon installation that already uses them, as this will cause data loss and other issues that are difficult to recover from.
+        MSG
+      end
+
      puts <<~MSG
        Add the following secret environment variables to your Mastodon environment (e.g. .env.production), ensure they are shared across all your nodes and do not change them after they are set:#{' '}