I’ve been investigating encrypting personally-identifying information within a rails application and I’ve been a bit underwhelmed at what I’ve found so far. The most commonly used library I’ve found to help deal with this issue has been attr_encrypted, but it’s felt a bit onerous to integrate with an existing application.
In particular, it seems to have somewhat weak security out of the box, using the same salt and IV for the entire data set. To achieve stronger encryption at rest guarantees, it appears to demand adding 3 columns to a table for each field you wish to encrypt. For example, to encrypt a user’s name, you’d need your table to have
encrypted_username_iv. This didn’t strike me as particularly Rails-y, and I thought there had to be better alternatives to the problem of encrypting database content at rest.
I guess my question to the community at large is this: what strategies you been using to encrypt database data at rest? Any tips/strategies/libraries you’ve found particularly helpful?
I’m not a security expert but I’ve come to realize that there are 2 types of encryption, disk (physical) encryption and software encryption (md5 hashes and salts, virtual computed attributes and the like) , and neither has anything to do with rails. You simply implement those encryption theories using ruby or whatever programming language you choose. And the theories are very well thought out and provide impressively strong security though it might seem weak on the surface. Personally I didn’t dive too deep into the theory because it’s an industry in itself. I simply follow thoughtbot examples or even railstutorial.org examples or I think you can even outsource encryption services where you send your already encrypted/hashed data to a company whose sole purpose is to secure your data physically.
I’ll put together a blog post next weekend on bank-level encryption with Rails, but here’s a post about rotating keys in the meantime: http://product.reverb.com/2015/01/20/encryption-on-rails-a-primer/
Thanks for sharing! I’ll give it a read. Key management, auditing, and rotation are definitely complementary pieces to the issue at hand and are critical to the safeguarding of customer PII.