CipherStash Documentation

Add a workspace and access key for production use

In the previous steps, we have:

  • Signed up for a free account and workspace with CipherStash.
  • Signed in to our account.
  • Updated our model to declare which fields we want to be able to query.
  • Reindexed our records into a CipherStash workspace.
  • Queried encrypted records.

In this step we will:

  • Create a new workspace to use for production.
  • Create an access key to be able to talk to CipherStash without any interactive user authentication.
  • Configure environment variables to use ActiveStash in production.

Create a new workspace

When you first sign up to CipherStash you are automatically allocated a workspace for your collections.

If you want to create an additional workspace to use for different environments, you can do that via the CipherStash console.

To add a new workspace:

1. Log into the CipherStash console.

2. Click on Add workspace.


3. Specify a name for your workspace, select a region, and click save.

Workspaces are available in ap-southeast-2 and us-east-1 AWS regions.

New workspace form

Make sure to record the workspace ID allocated to you, for use in the next step.

Creating deployment credentials

In order for your Rails application to interact with ActiveStash without the need for a user to authenticate, you will need a CipherStash access key.

CipherStash access keys enable your client to programmatically access the CipherStash data service.

This means that any client that has access to this key is authorised to access your data in CipherStash.

The information below will guide you through how to create, list and revoke keys.

Create an access key

1. In your Rails app with ActiveStash installed, log in to the workspace assigned to you in the previous step.

Using bash:

$ rake active_stash:login[YOURWORKSPACEID]

Using zsh:

$ rake active_stash:login\[WorkspaceId\]

2. Run the below rake command, specifying a name for your access key.

In this example, the access key name is prod.

rake active_stash:access_key:create[prod]

The output will display the access key.

The access key looks similar to the below.

It is made up of a key id and a secret, CSAKaccessKeyId.accessKeySecret.


This is the only time the entire key, including the secret, will be displayed, so make sure to copy the key.

If you do happen to forget to copy the key over, you can always generate a new key, and revoke the previously generated key via the key name.

It is recommended to rotate your access keys regularly. You can do this by generating a new access key, updating your configuration with the new access key, and revoking the old one.

See below on how to list and revoke keys.

List Access keys

To list the access keys for a workspace run:

rake active_stash:access_key:list

Which will output something that looks like this:

| Key Name    | Key ID           | Created At              | Last Used At            |
| prod        | AAABBBCCCDDDJJJ  | 2022-01-01 11:05:46 UTC |                         |

Revoke Access key

To revoke an access key use the below command using the key name you specified for the key.

active_stash:access_key:delete['name of access key to revoke']

You will receive the below confirmation that the key has been revoked.

Key 'access key name' deleted

Next up we will go through the steps to configure your application for deployment.

Configure environment variables for production

To configure your Rails app to be deployed to production, set these environment variables in the environment you are running your app in production:

  • CS_IDP_CLIENT_SECRET: The CipherStash access key you created in the previous step.
  • CS_WORKSPACE: The ID of the workspace you created in the previous step.
  • CS_NAMING_KEY: The naming key. You can find this value in ~/.cipherstash/<profile>/profile-config.json, under keyManagement.key.namingKey.
  • CS_KMS_KEY_ARN: The naming key ARN. You can find this value in ~/.cipherstash/<profile>/profile-config.json, under keyManagement.key.arn.

ActiveStash will detect that these environment variables are set and use these credentials to authenticate.

Ensure that these are the only environment variables set for CipherStash.

More info on client configuration can be found here.

Heroku deployments

To prevent any issues with gems installing when building the app in heroku, run bundle lock --add-platform x86_64-linux to ensure that your Gemfile.lock is valid for the x86_64-linux platfo