Encryption in Ruby on Rails
When I had first looked into encrypting data in my Rails database I found on a couple of forms, and StackOverflow issues, they recommended two gems: attr_encrypted and strongbox. Besides that there where a few do it yourself examples with Ruby’s built-in OpenSSL library and some other small libraries like AESCrypt. After examining these gems I found they did not meet my needs. So I wrote my own library to do it: AesKeeper
With my new library I was able to quickly, and easily, save encrypted data to my database. Now I no longer have to worry about potentially sensitive user data being seen by, say, “data analysts”. Things have been smooth sailing with it and I’m quite proud of it.
Of course I didn’t write it completely from scratch. I had to research how to even accomplish the task at hand. I followed a few tutorials, I asked a few questions on the StackExchange servers for Security & Encryption. And after a few days I had it in working order. I built it into a website and it works well.
Little did I know
I had re-invented the wheel. It turns out that Rails basically has the same thing built into it. I stumbled across a reference to it flipping through the book “The Rails 4 Way”. It’s the library ActiveSupport::MessageEncryptor. I was surprised that I had never seen this mentioned anywhere in my online quest for encrypting data for Rails. It’s should have been obvious!
I was curious at how long it had been in Rails so I looked into the history or the Rails source code and found that this was first added to Rails in version 2.3.0(Nov 5th, 2008). If it’s been around so long then why haven’t people used, and illustrated, it in StackOverflow as the answer for this issue? I honestly don’t know. My guess is many people are still unaware about it. So I’m sharing it with you now so that you may have this option within reach.
Of course you’re more than welcome to use my library. There’s probably a few subtle differences. But overall they’re the same kind of tool for the same kind of job. Maybe you can use AesKeeper for your non-Rails projects. It’s available.
In General
You should always be thinking about security. The more people who will be using the services, applications, or tools you build; then the more people you may directly affect by the security measures you either did or didn’t take. Lots of big name companies are dealing with user data getting compromised.
To help you be more aware of security issues your mind needs to be active on this topic. So to do that I recommend you listen to the weekly podcast Security Now by Steve Gibson (guest host Leo Laporte). Steve Gibson has been hosting this podcast for nearly 500 episodes. You will get to hear all the latest news in Security going on around the world, and this will get the appropriate gears in your mind turning.
Also be sure to follow Ruby, and Ruby on Rails, security issue reports, and patches/updates. Here are some helpful resources to keep an eye on:
Ruby
- https://www.ruby-lang.org/en/security/
- http://www.cvedetails.com/vulnerability-list/vendor_id-7252/product_id-12215/Ruby-lang-Ruby.html
Ruby on Rails
- http://www.rorsecurity.info/
- http://www.cvedetails.com/vulnerability-list/vendor_id-12043/product_id-22568/Rubyonrails-Ruby-On-Rails.html
General Ruby on Rails security guide lines are available here: http://guides.rubyonrails.org/security.html
I hope this was both insightful and useful! As Avdi Grimm would say “Happy Hacking!”. Please comment, share, subscribe to my RSS Feed, and follow me on twitter @6ftdan!
God Bless!
-Daniel P. Clark
trodriguez91
January 9, 2015 - 9:28 am
Thanks man!
Daniel P. Clark
January 9, 2015 - 3:53 pm
It’s my pleasure!
Jeff Dickey
January 17, 2015 - 4:14 am
Daniel, that rorsecurity.info site doesn’t appear to have been updated since February, 2011. It even advertises a conference that was to have been held 31 May to 2 June, 2010.
I’d hope we have more timely security resources than that without resorting to the raw CVEs.
Daniel P. Clark
January 17, 2015 - 4:45 am
You’re right. That site is outdated. From what I can see no major site has taken it’s place with up-to-date news on security. There is a barely active google mail group: https://groups.google.com/forum/?fromgroups#!forum/rubyonrails-security . Github only has two issues with the security badge on it. Reddit is occasionally bringing up security: http://www.reddit.com/r/rails/search?q=rails+security&sort=relevance&restrict_sr=on&t=all But overall it looks like nothing active is maintained.
Daniel P. Clark
April 28, 2016 - 4:34 pm
For anyone interested I’ve written a gem to make using Rail’s internal encryption easy to use. acts_as_encryptable