Configure ActiveRecord encryption

Following the ActiveRecord encryption rails guide[1] this commit
configures active record with the necessary encryption keys and salts.

In development the values of these variables doesn't matter, but to
avoid confusion I've set them to something that isn't obviously an
encryption key (such as the ones generated by
`db:encryption:init`). We'll need to ensure that these three
environment variables are set in non-local environments before this
change is deployed.

[1] https://guides.rubyonrails.org/active_record_encryption.html

Author: chrislo

.circleci/config.yml

@@ -28,6 +28,9 @@ jobs:
       POSTGRES_USER: choco
       POSTGRES_HOST: "127.0.0.1"
       RAILS_ENV: test
+      ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY: primary-key
+      ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY: deterministic-key
+      ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT: derivation-salt
     steps:
       - checkout
       - browser-tools/install-firefox

.env.example

@@ -31,3 +31,8 @@ HOST_URL=http://localhost:3009
 EDITOR_PUBLIC_URL=http://localhost:3012
 
 PROFILE_API_KEY=test # This has to match the value set in Profile (https://github.com/RaspberryPiFoundation/profile/blob/ca10a4f360b6fe2b04be76264e03283054126b0f/.env.example#L45).
+
+# Run bin/rails db:encryption:init to generate values for these if you need to encrypt securely locally.
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=primary-key
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=deterministic-key
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=derivation-salt

config/initializers/encryption.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+Rails.application.configure do
+  config.active_record.encryption.primary_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY')
+  config.active_record.encryption.deterministic_key = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY')
+  config.active_record.encryption.key_derivation_salt = ENV.fetch('ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT')
+end