Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to secure user data in the database with Rails?

Tags:

security

database

ruby-on-rails

encryption

I am creating a rails application that needs to store a large amount of sensitive data. To assure my customers that the data is being protected, I want to encrypt it on a per-user basis. I have done research looking for gems that can accomplish this. So far I've found strongbox and safe. Together, this would seem to provide a solution for me.

However, I am wondering if this is a common practice. It would seem that most rails applications have some sensitive data to store regarding their users. AuthLogic is handling my password encryption, but emails and other personal data are just as sensitive. Is it common practice to leave these items unencrypted in the database and assume that it will never be compromised? I understand that the database resides in an area that can not communicate with the outside world, but a determined attacker could easily compromise this. Is it common practice for Rails developers leave their data unencrypted and simply trust the security of their web server?

like image 979
Jeremy Mack Avatar asked Oct 28 '09 02:10

Jeremy Mack

People also ask

How does Rails encryption work?

Using encryption in Rails 7 It works by declaring which attributes should be encrypted and seamlessly encrypting and decrypting them when needed. The encryption layer sits between the database and the application. The application will access unencrypted data, but the database will store it encrypted.

Are Rails sessions secure?

Rails uses encryption to securely prevent tampering with the session contents, however, users cannot revoke sessions because the contents are stored on the browser.

How can you protect data at rest from being readable?

Conventional antivirus software and firewalls are the most common security measures used to protect data at rest.

1 Answers

Using layered security mechanisms and strong cryptography is good practice if you are storing a large amount of sensitive data. It is required by the Payment Card Industry’s Data Security Standard (PCI DSS). I suggest that you read the following guideline document: https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf.

You should definitely not "assume that it will never be compromised"

like image 132
Peder Avatar answered Sep 21 '22 11:09

Peder
Sign in to Comment

Related questions

how does activerecord know to perform an insert or update?
Ruby on Rails: link-to using post method but parameters are in the URL
Why do I get a AssociationTypeMismatch when creating my model object?
Find and replace entire HTML nodes with Nokogiri
Rails Dates Time and Fixtures
Safest and Railsiest way in CanCan to do Guest, User, Admin permissions
Pros and cons of database triggers vs Rails ActiveRecord callbacks?
Eager loading associations on ActiveModel instances in Rails
Reload factory_girl factory
Rails engine / How to use seed?
Rails/Ember - active_model_serializer - undefined method `object' when sideloading
Equivalent to Array.some in ruby/rails
ActiveRecord SQL execution time
How do I use bundle exec rake on RubyMine?
prettify JSON output of active-model-serializer in rails console
How to add default value to a column being added through 'rails g migration' command
after_initialize & after_find callbacks order in Active Record object life cycle?
undefined method pluralize for main:Object
configure redis auth on sidekiq
Rails change primary id to 64 bit bigint

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!