Automatic and graceful secure key rotation as a service (AaGSKRaaS)


$ heroku addons:add securekey
-----> Adding securekey to will... done, v216 (free)

$ heroku config -s | grep SECURE_KEYS

...time passes...

$ heroku config -s | grep SECURE_KEYS

...time passes...

$ heroku config -s | grep SECURE_KEYS


Because you're not rotating your keys at all. And they're probably checked into your repo, which is bad. Add this add-on, and never think about it again.

You need to keep and accept the old key for a while, or your users will lose their sessions right away. My patch to Rack::Cookie takes care of that for you. A rails patch is coming soon.


Clone then run:

$ bundle install

Next you'll want to make sure you've got a local database set up:

Then you can create and migrate your database by running:

$ createdb secure_key
$ sequel -m db/ postgres:///secure_key

Make sure tests pass by running:

$ bundle exec rake

A Heroku add-on, running on Heroku, made with Heroku add-ons

It currently uses the free heroku-postgres dev plan, pgbackups, and scheduler add-ons. The code is over at