Provides transparent encryption for ActiveRecord. It is encryption agnostic. You can guard your data with any encryption algorithm you want. All you need is a simple class that does 3 things.
- Takes a hash argument for
initialize
- Provides an
encrypt
method that returns the encrypted string - Provides a
decrypt
method that returns the plaintext
Note: Any options defined using crypt_keeper
will be passed to new
as a
hash.
You can see an AES example here.
The options available were either too complicated under the hood or had weird edge cases that made the library hard to use. I wanted to write something simple that just works.
class MyModel < ActiveRecord::Base
crypt_keeper :field, :other_field, :encryptor => :aes, :key => 'super_good_password'
end
model = MyModel.new(field: 'sometext')
model.save! #=> Your data is now encrypted
model.field #=> 'sometext'
It works with all persistences methods: update_attributes
, create
, save
etc.
Note: update_attribute
is deprecated in ActiveRecord 3.2.7. It is superseded
by update_column
which skips all validations, callbacks.
That means using update_column
will not perform any encryption. This is
expected behavior, and has its use cases. An example would be migrating from
one type of encryption to another. Using update_column
would allow you to
update the content without going through the current encryptor.
Creating your own encryptor is easy. All you have to do is create a class
under the CryptKeeper::Provider
namespace, like this:
module CryptKeeper
module Provider
class MyEncryptor
def initialize(options = {})
end
def encrypt(value)
end
def decrypt(value)
end
end
end
end
Just require your code and setup your model to use it. Just pass the class name as a string or an underscored symbol
class MyModel < ActiveRecord::Base
crypt_keeper :field, :other_field, :encryptor => :my_encryptor, :key => 'super_good_password'
end
There are two included encryptors.
-
- Encryption is peformed using AES-256 via OpenSSL.
-
- Encryption is peformed MySQL's native AES functions.
- ActiveRecord logs are automatically filtered for you to protect senitive data from being logged.
-
- Encryption is performed using PostgresSQL's native PGP functions.
- It requires the
pgcrypto
PostgresSQL extension:CREATE EXTENSION IF NOT EXISTS pgcrypto
- ActiveRecord logs are automatically filtered for you to protect senitive data from being logged.
CryptKeeper has been tested against ActiveRecord 3.0, 3.1, and 3.2 using ruby 1.9.2, 1.9.3 and jruby in 1.9 mode.
Add this line to your application's Gemfile:
gem 'crypt_keeper'
And then execute:
$ bundle
Or install it yourself as:
$ gem install crypt_keeper
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request