Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to generate encryption key for use with attr_encrypted

Tags:

ruby

ruby-on-rails

cryptography

I'm considering using the attr_encrypted gem for field-level encryption in a Rails app. How do I generate an encryption key for use with this gem?

Update:

The documentation for Encryptor, which is the underlying encryption used by attr_encrypted, states the following (under Usage | Basic):

secret_key = Digest::SHA256.hexdigest('a secret key')
encrypted_value = Encryptor.encrypt('some string to encrypt', :key => secret_key)

I would guess that a secret key can be any arbitrary-length random string and the call to hexdigest will compute an appropriate fixed-length string from it. Is this the recommended way to do it?

like image 411
Richard Cook Avatar asked Jul 01 '13 15:07

Richard Cook

1 Answers

The key is just a string, any string will do, you just want to keep it away from people who are not allowed to see the plaintext data. You could simply generate a key using SecureRandom.base64. That would make it practically unguessable by brute force, with very little effort from you.

The interesting thing here is key management. Your options with this gem appear to be:

  • Hard-code the key into the application. This prevents "accidental" reading of sensitive data by e.g. a DBA or support engineer, but it is not secure from anyone who knows how the gem works, if they can access both the source code and the database.

  • Reference a named method which will determine the key. This is more interesting, but beware: Putting the key into the database does not really add much security. Someone who can access the database and code can do much the same as if the value were hard-coded.

You can improve things slightly, or at least get the development team separated from the encrypted data, by having the application read at least part of the key from a location that developers (or perhaps just the majority of developers) cannot access in production. Going beyond that is harder, at least with this gem as-is, because the application will need to run with access to the encrypt/decrypt keys.

Whether or not this is good enough depends on why you are encrypting the data in the first place.

like image 81
Neil Slater Avatar answered Sep 21 '22 20:09

Neil Slater
Sign in to Comment

Related questions

Ruby on rails server app + IOS iphone client?
Why use instance variables to "connect" controllers with views?
Slow assets ruby 1.9.3, macos, rails 3.2
rake db:migrate and rake db:create both work on test database, not development database
JSON breaking back button in Chrome, Reload Button in IE (Showing as naked data)
Check to See if A Particular Active Record Object Is In A Particular 'Scope'
how does rails implicitly import functions from gems?
What is the "rails way" to access a parent object's attributes?
Play! framework vs Ruby on Rails [closed]
Which one of these is a better option to use alongside "latest rails" application? Mongrel, Thin, WEBrick and Passenger
Devise set different root path per user type
How to use original image url in paperclip
Belongs_to and has_and_belongs_to_many to the same table in Rails
How to use native OS X notification instead of growl in autotest for Ruby on Rails?
Removing has_many :through association doesn't change model's updated_at attribute
AngularJS Restful Routing
The meaning of `*` when using as a param(not like *arg, just *) [duplicate]
Rails 4 remove test generators (especially test_unit)
Setting bounds between rspec and cucumber in Rails
CORS - Cross-Domain AJAX Without JSONP By Allowing Origin On Server

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!