Encryption in Ruby on Rails

January 9, 2015 by Daniel P. Clark

Encryption in Ruby on Rails

When I had first looked into encrypting data in my Rails database I found on a couple of forms, and StackOverflow issues, they recommended two gems: attr_encrypted and strongbox.  Besides that there where a few do it yourself examples with Ruby’s built-in OpenSSL library and some other small libraries like AESCrypt.  After examining these gems I found they did not meet my needs.  So I wrote my own library to do it: AesKeeper

With my new library I was able to quickly, and easily, save encrypted data to my database.  Now I no longer have to worry about potentially sensitive user data being seen by, say, “data analysts”.  Things have been smooth sailing with it and I’m quite proud of it.

Of course I didn’t write it completely from scratch.  I had to research how to even accomplish the task at hand.  I followed a few tutorials, I asked a few questions on the StackExchange servers for Security & Encryption.  And after a few days I had it in working order.  I built it into a website and it works well.

Little did I know

I had re-invented the wheel.  It turns out that Rails basically has the same thing built into it.  I stumbled across a reference to it flipping through the book “The Rails 4 Way”.  It’s the library ActiveSupport::MessageEncryptor.  I was surprised that I had never seen this mentioned anywhere in my online quest for encrypting data for Rails.  It’s should have been obvious!

I was curious at how long it had been in Rails so I looked into the history or the Rails source code and found that this was first added to Rails in version 2.3.0(Nov 5th, 2008).  If it’s been around so long then why haven’t people used, and illustrated, it in StackOverflow as the answer for this issue?  I honestly don’t know.  My guess is many people are still unaware about it.  So I’m sharing it with you now so that you may have this option within reach.

Of course you’re more than welcome to use my library.  There’s probably a few subtle differences.  But overall they’re the same kind of tool for the same kind of job.  Maybe you can use AesKeeper for your non-Rails projects.  It’s available.

In General

You should always be thinking about security.  The more people who will be using the services, applications, or tools you build; then the more people you may directly affect by the security measures you either did or didn’t take.  Lots of big name companies are dealing with user data getting compromised.

To help you be more aware of security issues your mind needs to be active on this topic.  So to do that I recommend you listen to the weekly podcast Security Now by Steve Gibson (guest host Leo Laporte).  Steve Gibson has been hosting this podcast for nearly 500 episodes.  You will get to hear all the latest news in Security going on around the world, and this will get the appropriate gears in your mind turning.

Also be sure to follow Ruby, and Ruby on Rails, security issue reports, and patches/updates.  Here are some helpful resources to keep an eye on:

Ruby

  1. https://www.ruby-lang.org/en/security/
  2. http://www.cvedetails.com/vulnerability-list/vendor_id-7252/product_id-12215/Ruby-lang-Ruby.html

Ruby on Rails

  1. http://www.rorsecurity.info/
  2. http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html

General Ruby on Rails security guide lines are available here: http://guides.rubyonrails.org/security.html

I hope this was both insightful and useful!  As Avdi Grimm would say “Happy Hacking!”. Please comment, share, subscribe to my RSS Feed, and follow me on twitter @6ftdan!

God Bless!
-Daniel P. Clark

Icons made by Freepik from www.flaticon.com is licensed by CC BY 3.0
#256#activesupport#AES#article#blog#CBC#data#encryption#messageencryptor#post#ruby#ruby on rails#safe#security

Comments

  1. trodriguez91
    January 9, 2015 - 9:28 am

    Thanks man!

  2. Jeff Dickey
    January 17, 2015 - 4:14 am

    Daniel, that rorsecurity.info site doesn’t appear to have been updated since February, 2011. It even advertises a conference that was to have been held 31 May to 2 June, 2010.

    I’d hope we have more timely security resources than that without resorting to the raw CVEs.

  3. Daniel P. Clark
    April 28, 2016 - 4:34 pm

    For anyone interested I’ve written a gem to make using Rail’s internal encryption easy to use. acts_as_encryptable

Leave a Reply

Your email address will not be published / Required fields are marked *