So I am trying to migrate my users data where encrypted password is stored directly and we have no way to recover plain password text since its one way hash. We are using devise for encryption which internally uses bcrypt. The devise uses devise pepper for hashing passwords and i want to migrate it to another environment which has different devise pepper but want to maintaing the exisitng passwords so that users dont have to reset their passwords. We want to do this internally so that the users dont get effected from this.
Its easy to migrate if you have same devise pepper and devise secret key in any place but if the devise pepper is different then not able to move it.
Correct, you're not able to move it. Your only option without involving your customers is to first authenticate them against the old hash, then you know you have the correct password, so you can hash it using the new pepper/key.
Obviously your algorithm would check to see if they have a new hash first, and if so just use that, but then fall back to checking using the old pepper/key against the old hash, and if successful creating a new hash.