Conversation
monfresh
left a comment
monfresh
left a comment
There was a problem hiding this comment.
lgtm but we can't merge this until we run a rake task on all the servers that encrypts the OTP secret from the existing plain text otp_secret_key
|
I believe this is what needs to be run: User.where.not(otp_secret_key: nil).find_in_batches.with_index do |users, batch|
users.each do |user|
encrypted_attribute = EncryptedAttribute.new_from_decrypted(user.otp_secret_key)
execute "UPDATE users SET encrypted_otp_secret_key='#{encrypted_attribute.encrypted}' WHERE id=#{user.id}"
end
end@pkarman Can you confirm? |
|
that looks correct to me. Didn't realize that wasn't already done as part of the migration. |
|
see #1170 |
|
I just remembered that we need to merge and deploy this before we launch. We can't have these plain text columns in the production database. |
|
These plaintext columns will be ignored in any database. The code ignores them, so no data is read/written. We can launch w/o dropping them. |
|
Agreed. It was a brain fart on my part. I confused the ability to see what's in the DB when all you have access to is the DB, with the ability to see the plaintext values when you have access to the Rails console. The DB will indeed not populate those columns, but if you have access to the Rails console, you can look up the decrypted values, which is expected. |
|
the task has been run in |
**Why**: Encrypted attributes have now propagated through all AWS environments.
pkarman
force-pushed
the
pek-drop-plaintext-columns
branch
from
7be9a48 to
d4cc455
Compare
3 participants
Why: Encrypted attributes have now propagated through all AWS environments.