Skip to content

Re Securing

Jump to bottom
Jeff Felchner edited this page Mar 6, 2023 · 2 revisions

There are times in which you will want to rotate your private keys. Maybe your private key was compromised in a data breach or maybe an employee that had access to it is no longer trusted. Maybe you're switching to namespaced private keys and need to re-encrypt values that were encrypted with the original shared key. How do you do it?

WARNING: If a value has been committed to the repo which you're trying to hide from someone who has the default private key, there's nothing you can do. They can always check out a commit before you introduced the namespaced key and see what the values were at that point.

What you need to do is generate something new (new password, new API key, etc) and then encrypt that new value with the namespaced key.

But let's say you know what you're doing and you want all of your existing values to be decryptable only a new private key.

That's relatively easy. All you have to do is re-secure your settings by:

  1. Running chamber unsecure
  2. Generating your new keys by reinitializing or by generating namespaced key pairs (or both)
  3. Running the proper chamber secure commands

This step will decrypt everything and then re-encrypt everything. If you have namespaced keys, such as .chamber.production.pub.pem, any production values will be re-encrypted using that key. From that point on, the old keys will no longer be able to decrypt your settings.

If you're using a cloud integration, don't forget to re-push your new private key information.

Kompanee Logo Copyright ©2023

  1. Release News
  2. Gem Comparison
  3. 12-Factor App Rebuttal
  4. Environment Variable Problems
    1. Lack of Complex Values
    2. Organization
    3. Environment Sharing
    4. Team Member Syncing
    5. Environment Syncing
    6. Local Settings
    7. Tracking Changes
  5. Installation
    1. Initialization
    2. In a Ruby Project
    3. In a Rails Project
    4. In a Rails Engine
    5. In a Sinatra Project
    6. In a Padrino Project
    7. In a Hanami Project
  6. Basics
    1. File Layout
    2. Defining Settings
    3. Accessing Settings
    4. Namespace Basics
      1. Inline Namespaces
      2. Host-Based Settings
    5. Encryption Basics
      1. Encrypting Your Settings
      2. Accessing Encrypted Settings
    6. Environment Variables
  7. Defining Settings
    1. ERB Preprocessing
    2. Runtime Values
    3. Dynamic Templating
  8. Accessing Settings
    1. Dig
  9. Verifying Settings
  10. Namespaces
    1. File-Based Namespaces
    2. Mix and Match
    3. Custom Namespaces
  11. Environment Variables
    1. Coercions
  12. Integrations
    1. Git Commit Hooks
    2. Cloud Services
  13. Encryption
    1. Keypair Encryption
    2. What Keys Can Do
    3. Encrypting Nested Structures
    4. Namespaced Key Pairs
    5. Re-Securing
    6. Loading Keys from ENV
  14. Advanced Usage
    1. Manually Specifying Settings Files
    2. Outputting Your Settings
    3. Specifying Multiple Namespaces
    4. Handling Duplicates/Collisions
    5. Extending Chamber
  15. Command Line Reference
    1. init
    2. show
    3. files
    4. sign
    5. secure
    6. unsecure
    7. compare
Clone this wiki locally