Files
sure/config/initializers/encryption_warning.rb
Andrew B 6945b5a296 feat(security): warn when ActiveRecord encryption is not configured (#2362)
* feat(security): warn when ActiveRecord encryption is not configured

Self-hosted instances without explicit ACTIVE_RECORD_ENCRYPTION_* keys (or Rails credentials) store sensitive columns - API keys, provider/bank tokens, the MFA (TOTP) secret, and PII - unencrypted at rest. The app boots and works normally so this plaintext at rest state is easy to miss.

Change: Make it visible:
  - log a clear startup warning (config/initializers/encryption_warning.rb)
  - show a warning banner on /settings/security when encryption is unconfigured

* refactor(security): apply review feedback on encryption warning

- list the three ACTIVE_RECORD_ENCRYPTION_* keys in the banner, rendered via the DS::Alert content block to match the log
- drop the redundant respond_to?(:self_hosted?) guard in the initializer so it matches the controller check
- add a managed-mode test asserting the banner is hidden
2026-06-16 08:11:03 +02:00

22 lines
961 B
Ruby

# frozen_string_literal: true
# Warn self-hosted operators when ActiveRecord Encryption is NOT configured.
#
# This emits a clear startup warning so plaintext-at-rest is never silent.
require Rails.root.join("lib/active_record_encryption_config").to_s
Rails.application.config.after_initialize do
app_mode = Rails.application.config.app_mode
if app_mode.self_hosted? && !ActiveRecordEncryptionConfig.explicitly_configured?
Rails.logger.warn(<<~WARN)
[SECURITY] ActiveRecord Encryption is NOT configured. Sensitive data
(API keys, provider/bank tokens, MFA secrets, and PII) are being stored
UNENCRYPTED at rest. To enable encryption, set the following keys in your Rails credentials or environment variables:
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
Generate a set with: bin/rails db:encryption:init
WARN
end
end