Provides transparent encryption attribute for ActiveRecord. You can easily encrypt and decrypt sensitive data.
This implementation is based on ActiveRecord's Attribute-API, and it is very simple and powerful.
Add definition of the encrypted attribute in your application.
# app/models/post.rb
class Post < ActiveRecord::Base
encrypted_attribute(:name, :string)
end
That's all. This column is already enabled for transparent encryption.
post = Post.create!(name: 'Baker')
post.name #=> "Baker"
post.name_before_type_cast #=> "ZS~\xAB\x8C\xD1\xCA\u0016\xA8\x80f@\xE8s\xB7J/\xA9\xEC/\xBDj\xDE6(Y\u007F\u0016<W\u0011\x96"
You can set encryption as default.
# config/initializers/active_record_encryption.rb
ActiveRecordEncryption.default_encryption = {
encryptor: :active_support,
key: ENV['ENCRYPTION_KEY'],
salt: ENV['ENCRYPTION_SALT']
}
.encrypted_attribute()
wrapped on .attribute
method. and you can pass the same arguments as ActiveRecord::Attributes.attribute
class PointLog < ActiveRecord::Base
encrypted_attribute(:date, :date)
encrypted_attribute(:point, :integer, default: -> { Current.user.current_point })
encrypted_attribute(:price, Money.new)
encrypted_attribute(:serialized_address, :string)
# Change encryptor
encrypted_attribute(:name, :field, encryption: { encryptor: :active_support, key: ENV['ENCRYPTION_KEY'], salt: ENV['ENCRYPTION_SALT'] })
end
There are four supported encryptors: :active_support
, :aes_256_cbc
.
:active_support
- Encryption is performed using
ActiveSupport::MessageEncryptor
- Example
encrypted_attribute(:field, :type, encryption: { encryptor: :active_support, key: SecureRandom.hex(64), salt: SecureRandom.hex(64) })
- Encryption is performed using
:aes_256_cbc
- Encryption is performed using
OpenSSL::Cipher.new('AES-256-CBC')
- Example
encrypted_attribute(:field, :type, encryption: { encryptor: :aes_256_cbc, key: SecureRandom.hex(64) })
- Encryption is performed using
You can easilly add your encryptor.
class YourEncryptor < ActiveRecordEncryption::Encryptor::Base
def initialize(key:)
@key = key
end
def encrypt(value)
# An encrypt method that returns the encrypted string
end
def decrypt(value)
# A decrypt method that returns the plaintext
end
end
ActiveRecordEncryption.default_encryption = {
encryptor: YourEncryptor,
key: ENV['ENCRYPTION_KEY']
}
For encryptors requiring secret keys, you can generate them. These values should be stored outside of your application repository for added security.
ruby -e "require 'securerandom'; puts SecureRandom.hex(64)"`
Create or modify the table that your model like the following:
NOTE: Default limit of ActiveRecord's binary column is too long. Please set limit(< 0xfff) for encrypted columns.
ActiveRecord::Schema.define do
create_table(:posts) do |t|
t.binary :name, limit: 1000
end
end
docker compose up -d
bundle exec appraisal install
bundle exec appraisal rspec
Bug reports and pull requests are welcome on GitHub at https://github.com/alpaca-tc/active_record_encryption. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.
The gem is available as open source under the terms of the MIT License.
Everyone interacting in the ActiveRecord::Encryption
project’s codebases, issue trackers, chat rooms and mailing lists is expected to follow the code of conduct.