Automatic and graceful secure key rotation as a service (AaGSKRaaS)
$ heroku addons:add securekey
-----> Adding securekey to will... done, v216 (free)
$ heroku config -s | grep SECURE_KEYS
SECURE_KEYS=59b26bion3ow0o46hkw8laij99sm4gxe766q5iztumy7pz6o2m,omhltkx5cucsj9wbxw5j486uwoka3ckkjznk6fpowwywlblu6
...time passes...
$ heroku config -s | grep SECURE_KEYS
SECURE_KEYS=4pndhwz8dk57la2fqz0rdakseofsnzqbuz8a0vcwirjkpypcb7,59b26bion3ow0o46hkw8laij99sm4gxe766q5iztumy7pz6o2m
...time passes...
$ heroku config -s | grep SECURE_KEYS
SECURE_KEYS=5xhuqknssevprev03qivap4d4se4dx5xardk95y6enz7uru7eo,4pndhwz8dk57la2fqz0rdakseofsnzqbuz8a0vcwirjkpypcb7
Because you're not rotating your keys at all. And they're probably checked into your repo, which is bad. Add this add-on, and never think about it again.
You need to keep and accept the old key for a while, or your users will lose their sessions right away. My patch to Rack::Cookie takes care of that for you. A rails patch is coming soon.
Clone then run:
$ bundle install
Next you'll want to make sure you've got a local database set up:
Then you can create and migrate your database by running:
$ createdb secure_key
$ sequel -m db/ postgres:///secure_key
Make sure tests pass by running:
$ bundle exec rake
It currently uses the free heroku-postgres dev plan, pgbackups, and scheduler add-ons. The code is over at github.com/will/securekey.