Rails: Encrypting your database information using Active Record Encryption

Posted About 1 year ago. Visible to the public.

Since Rails 7 you are able to encrypt database information with Active Record Show archive.org snapshot . Using Active Record Encryption will store an attribute as string in the database. And uses JSON for serializing the encrypted attribute.

Example:

  • p: Payload
  • h: Headers
  • iv: Initialization Vector
  • at: Authentication Tag
{ "p": "n7J0/ol+a7DRMeaE", "h": { "iv": "DXZMDWUKfp3bg/Yu", "at": "X1/YjMHbHD4talgF9dt61A=="} }

Note this before encrypting attributes with Active Record:

  • You need to choose between a non-deterministic and deterministic mode. The non-deterministic mode is the default and will result in a different payload for the same value. In case you need a unique index e.g. for a email attribute, you need to use the deterministic mode.
  • Encrypting attributes will prevent you from using usual database queries. Searching for substrings, grouping by an attribute, bulk updates and many more. Regular where-Queries will work for deterministic columns.

Example integration with devise

Here is an example encrypting a user table managed by devise Show archive.org snapshot . It could help you to get a rough idea of the necessary steps you need to consider when introduction Active Record Encryption in your application.

class User < ApplicationRecord
  devise :database_authenticatable,
    :registerable,
    :recoverable,
    :rememberable,
    :confirmable

  validates :name, presence: true

  encrypts :email, deterministic: true, downcase: true
  encrypts :unconfirmed_email, deterministic: true, downcase: true
  encrypts :name
end

Using a secrets.yml instead of the credential store

You need to configure your Active Record Encryption keys manually in the config/application.rb:

config.active_record.encryption.primary_key = Rails.application.secrets.dig(:active_record_encryption, :primary_key)
config.active_record.encryption.deterministic_key = Rails.application.secrets.dig(:active_record_encryption, :deterministic_key)
config.active_record.encryption.key_derivation_salt = Rails.application.secrets.dig(:active_record_encryption, :key_derivation_salt)

Your config/secrets.yml can be filled with the values from bin/rails db:encryption:init for each environment.

active_record_encryption:
  primary_key: <some-secret>
  deterministic_key: <some-secret>
  key_derivation_salt: <some-secret>

Migrating existing users

If you already have values in your user database, a good default is to enforce all existing data to be encrypted. Another option would be to encrypt attributes on the fly, when a record is updated.

class EncryptUserAttributes < ActiveRecord::Migration[7.0]

  # It would have been possible to use the EncryptableRecord API with a `previous` option:
  #
  # ```
  # encrypts :email, deterministic: true, downcase: true, previous: { encryptor: ActiveRecord::Encryption::NullEncryptor.new }
  # ```
  #
  # But in the down migration it was difficult to use the Encryption::NullEncryptor as main encryptor and Encryption::Encryptor
  # as previous encryptor. The NullEncryptor will never raise an Encryption::Errors::Base since an encrypted string would still
  # be valid for the NullEncryptor and therefore the previous encrypted is never called.
  #
  # In this approach the implementation of a smart NullEncryptor was skipped and the relevant parts from EncryptableRecord
  # where extracted to reduce the amount of Rails magic.

  class User < ActiveRecord::Base
  end

  def deterministic_key
    ActiveRecord::Encryption.config.deterministic_key
  end

  def up
    User.find_each do |user|
     user.name = ActiveRecord::Encryption::Encryptor.new.encrypt(user.name)

      user.email = ActiveRecord::Encryption::Encryptor.new.encrypt(
        user.email,
        key_provider: ActiveRecord::Encryption::DeterministicKeyProvider.new(deterministic_key),
        cipher_options: { deterministic: true },
      )

      if user.unconfirmed_email.is_a?(String)
        user.unconfirmed_email = ActiveRecord::Encryption::Encryptor.new.encrypt(
          user.unconfirmed_email,
          key_provider: ActiveRecord::Encryption::DeterministicKeyProvider.new(deterministic_key),
          cipher_options: { deterministic: true },
        )
      end

      user.save!
    end
  end

  def down
    User.find_each do |user|
      user.name = ActiveRecord::Encryption::Encryptor.new.decrypt(user.name)

      user.email = ActiveRecord::Encryption::Encryptor.new.decrypt(
        user.email,
        key_provider: ActiveRecord::Encryption::DeterministicKeyProvider.new(deterministic_key),
      )

      if user.unconfirmed_email.is_a?(String)
        user.unconfirmed_email = ActiveRecord::Encryption::Encryptor.new.decrypt(
          user.unconfirmed_email,
          key_provider: ActiveRecord::Encryption::DeterministicKeyProvider.new(deterministic_key),
        )
      end

      user.save!
    end
  end
end

Update the database constraints of devise

You might want to remove the default: '' option from the email column (see #5552 Show archive.org snapshot & #5436 Show archive.org snapshot for the discussions). In case you don't use omniauth, adding a null: false constraint could improve your data integrity.

class ChangeUserContraints < ActiveRecord::Migration[7.0]
  def up
    change_column_default(:users, :email, nil)
    change_column_null(:users, :email, false)
  end

  def down
    change_column_null(:users, :email, true)
    change_column_default(:users, :email, '')
  end
end

Optional adjusting SimpleForm

In case you are using SimpleForm Show archive.org snapshot , you might notice that the inputs are not correctly detected as string anymore. This might be fixed in the future, for now declaring the type solved the issue.

    = form.input :email,
      required: true,
      autofocus: true,
-     input_html: { autocomplete: 'email' }
+     input_html: { autocomplete: 'email' },
+     as: :string
Emanuel
makandra.de
Say thanks4
Last edit
About 1 year ago
Tobias Kraze
License
Source code in this card is licensed under the MIT License.

Related cards:

Use DatabaseCleaner with multiple test databases

There is a way to use multiple databases in Rails.
You may have asked yourself how you're able to keep your test databases clean, if you're running multiple databases with ful...

Rails: Using database default values for boolean attributes

In the past we validate and set default values for boolean attributes in Rails and not the database itself.

Reasons for this:

  • Older Rails didn't s...

Rails: Comparison of assignable_values and Active Record enum types

We are using assignable_values for managing enum values in Rails. Nevertheless Rails [is adding more support for enum attributes](https://blog.saeloun.com/2021/02/26/rails-introduces-new-syntax-for-...

ActiveModel: Make Any Ruby Object Feel Like ActiveRecord « Katz Got Your Tongue?

Rails 2.3 has a ton of really nice functionality locked up in monolithic components. I’ve posted quite a bit about how we’ve opened up a lot of that functionality in ActionPack, making it easier to reuse the router, dispatcher, and individual part...

Your database tables should always have timestamps

Whenever you create a table from a database migration, remember to add updated_at and created_at timestamps to that table. Without those timestamps, investigating future bug reports will be hell. Always have timestamps.

Adding timestamps ...

Rails: Migration helper for inserting records without using models

You should avoid using application models in your migrations. But how else could you create records in a migration?

The most basic way is to write plain SQL, but since INSERT statements are no pleasant write for Rubyists, here ...

Rails: How to check if a certain validation failed

If validations failed for a record, and you want to find out if a specific validation failed, you can leverage ActiveModel's error objects.
You rarely need this in application code (you usually just want to print error messages), but it can be u...

Apply a new callback to existing records

So you added a new callback to your model that (e.g.) caches some data when it is saved. Now you need to run that callback for the 10000 existing records in the production database. You have two options here:

  1. Write a clever migration, possibly...

Accept nested attributes for a record that is not an association

Note: Instead of using the method in this card, you probably want to use ActiveType's nested attributes which is a much more refined way of doing this.

The attach...

Rails: Talking to the database without instantiating ActiveRecord objects

Instantiating ActiveRecord objects comes expensive. To speed up things, you can choose a more direct way to talk to your database: the [ActiveRecord::ConnectionAdapters::DatabaseStatements](http://api.rubyonrails.org/classes/ActiveRecord/Connect...

Posted by Emanuel to makandra dev (2023-02-23 09:20)
This website uses short-lived cookies to improve usability.
or learn more