Rename master_key => primary_key

actiontext/test/test_helper.rb

@@ -47,7 +47,7 @@ end
 
 # Encryption
 ActiveRecord::Encryption.configure \
-  master_key: "test master key",
+  primary_key: "test master key",
   deterministic_key: "test deterministic key",
   key_derivation_salt: "testing key derivation salt",
   support_unencrypted_data: true

activerecord/lib/active_record/encryption/config.rb

@@ -4,7 +4,7 @@ module ActiveRecord
   module Encryption
     # Container of configuration options
     class Config
-      attr_accessor :master_key, :deterministic_key, :store_key_references, :key_derivation_salt,
+      attr_accessor :primary_key, :deterministic_key, :store_key_references, :key_derivation_salt,
                     :support_unencrypted_data, :encrypt_fixtures, :validate_column_size, :add_to_filter_parameters,
                     :excluded_from_filter_parameters, :extend_queries
 

activerecord/lib/active_record/encryption/configurable.rb

@@ -17,12 +17,12 @@ module ActiveRecord
           delegate name, to: :context
         end
 
-        def configure(master_key:, deterministic_key:, key_derivation_salt:, **properties) #:nodoc:
-          config.master_key = master_key
+        def configure(primary_key:, deterministic_key:, key_derivation_salt:, **properties) #:nodoc:
+          config.primary_key = primary_key
           config.deterministic_key = deterministic_key
           config.key_derivation_salt = key_derivation_salt
 
-          context.key_provider = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(master_key)
+          context.key_provider = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(primary_key)
 
           properties.each do |name, value|
             [:context, :config].each do |configurable_object_name|

activerecord/lib/active_record/encryption/envelope_encryption_key_provider.rb

@@ -19,7 +19,7 @@ module ActiveRecord
         random_secret = generate_random_secret
         ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
           key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
-          key.public_tags.encrypted_data_key_id = active_master_key.id if ActiveRecord::Encryption.config.store_key_references
+          key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
         end
       end
 
@@ -28,23 +28,23 @@ module ActiveRecord
         secret ? [ActiveRecord::Encryption::Key.new(secret)] : []
       end
 
-      def active_master_key
-        @active_master_key ||= master_key_provider.encryption_key
+      def active_primary_key
+        @active_primary_key ||= primary_key_provider.encryption_key
       end
 
       private
         def encrypt_data_key(random_secret)
-          ActiveRecord::Encryption.cipher.encrypt(random_secret, key: active_master_key.secret)
+          ActiveRecord::Encryption.cipher.encrypt(random_secret, key: active_primary_key.secret)
         end
 
         def decrypt_data_key(encrypted_message)
           encrypted_data_key = encrypted_message.headers.encrypted_data_key
-          key = master_key_provider.decryption_keys(encrypted_message)&.collect(&:secret)
+          key = primary_key_provider.decryption_keys(encrypted_message)&.collect(&:secret)
           ActiveRecord::Encryption.cipher.decrypt encrypted_data_key, key: key if key
         end
 
-        def master_key_provider
-          @master_key_provider ||= DerivedSecretKeyProvider.new(ActiveRecord::Encryption.config.master_key)
+        def primary_key_provider
+          @primary_key_provider ||= DerivedSecretKeyProvider.new(ActiveRecord::Encryption.config.primary_key)
         end
 
         def generate_random_secret

activerecord/lib/active_record/railtie.rb

@@ -280,7 +280,7 @@ To keep using the current cache store, you can turn off cache versioning entirel
 
     initializer "active_record_encryption.configuration" do |app|
       ActiveRecord::Encryption.configure \
-         master_key: app.credentials.dig(:active_record_encryption, :master_key),
+         primary_key: app.credentials.dig(:active_record_encryption, :primary_key),
          deterministic_key: app.credentials.dig(:active_record_encryption, :deterministic_key),
          key_derivation_salt: app.credentials.dig(:active_record_encryption, :key_derivation_salt),
          **config.active_record.encryption

activerecord/lib/active_record/railties/databases.rake

@@ -558,7 +558,7 @@ db_namespace = namespace :db do
         Add this entry to the credentials of the target environment:#{' '}
 
         active_record_encryption:
-          master_key: #{SecureRandom.alphanumeric(32)}
+          primary_key: #{SecureRandom.alphanumeric(32)}
           deterministic_key: #{SecureRandom.alphanumeric(32)}
           key_derivation_salt: #{SecureRandom.alphanumeric(32)}
       MSG

activerecord/test/cases/encryption/configurable_test.rb

@@ -2,6 +2,7 @@
 
 require "cases/encryption/helper"
 require "models/pirate"
+require "models/book"
 
 class ActiveRecord::Encryption::ConfigurableTest < ActiveRecord::TestCase
   test "can access context properties with top level getters" do

activerecord/test/cases/encryption/envelope_encryption_key_provider_test.rb

@@ -19,7 +19,7 @@ class ActiveRecord::Encryption::EnvelopeEncryptionKeyProviderTest < ActiveRecord
   test "generated random keys carry their secret encrypted with the master key" do
     key = @key_provider.encryption_key
     encrypted_secret = key.public_tags.encrypted_data_key
-    assert_equal key.secret, ActiveRecord::Encryption.cipher.decrypt(encrypted_secret, key: @key_provider.active_master_key.secret)
+    assert_equal key.secret, ActiveRecord::Encryption.cipher.decrypt(encrypted_secret, key: @key_provider.active_primary_key.secret)
   end
 
   test "decryption_key_for returns the decryption key for a message that was encrypted with a generated encryption key" do
@@ -30,20 +30,20 @@ class ActiveRecord::Encryption::EnvelopeEncryptionKeyProviderTest < ActiveRecord
   end
 
   test "work with multiple keys when config.store_key_references is false" do
-    ActiveRecord::Encryption.config.master_key = ["key 1", "key 2"]
+    ActiveRecord::Encryption.config.primary_key = ["key 1", "key 2"]
 
     assert_encryptor_works_with @key_provider
   end
 
   test "work with multiple keys when config.store_key_references is true" do
-    ActiveRecord::Encryption.config.master_key = ["key 1", "key 2"]
+    ActiveRecord::Encryption.config.primary_key = ["key 1", "key 2"]
     ActiveRecord::Encryption.config.store_key_references = true
 
     assert_encryptor_works_with @key_provider
   end
 
   private
-    def assert_multiple_master_keys
-      assert Rails.application.credentials.dig(:active_record_encryption, :master_key).length > 1
+    def assert_multiple_primary_keys
+      assert Rails.application.credentials.dig(:active_record_encryption, :primary_key).length > 1
     end
 end

activerecord/test/cases/encryption/helper.rb

@@ -141,7 +141,7 @@ class ActiveRecord::TestCase
   include ActiveRecord::Encryption::EncryptionHelpers, ActiveRecord::Encryption::PerformanceHelpers
   # , PerformanceHelpers
 
-  ENCRYPTION_ERROR_FLAGS = %i[ master_key store_key_references key_derivation_salt support_unencrypted_data
+  ENCRYPTION_ERROR_FLAGS = %i[ primary_key store_key_references key_derivation_salt support_unencrypted_data
     encrypt_fixtures ]
 
   setup do

activerecord/test/cases/helper.rb

@@ -226,7 +226,7 @@ end
 # Encryption
 
 ActiveRecord::Encryption.configure \
-  master_key: "test master key",
+  primary_key: "test master key",
   deterministic_key: "test deterministic key",
   key_derivation_salt: "testing key derivation salt"
 

guides/source/active_record_encryption.md

@@ -28,7 +28,7 @@ $ bin/rails db:encryption:init
 Add this entry to the credentials of the target environment:
 
 active_record.encryption:
-  master_key: EGY8WhulUOXixybod7ZWwMIL68R9o5kC
+  primary_key: EGY8WhulUOXixybod7ZWwMIL68R9o5kC
   deterministic_key: aPA5XyALhf75NNnMzaspW7akTfZp0lPY
   key_derivation_salt: xEY0dt6TZcAMg52K7O84wYzkjvbA62Hz
 ```