attr_encrypted_pgcrypto
A pgcrypto-based Encryptor implementation for attr_encrypted. It delegates to pgp_sym_encrypt()
and pgp_sym_decrypt()
to provide symmetric-key encryption. It's useful if you need to:
- Access the plain text values directly from SQL without bringing the data into Ruby
- Integrate databases managed by other applications
Is this library a bad idea? Potentially! Please open an issue to discuss and help document any caveats.
Installation
Add this line to your application's Gemfile:
gem 'attr_encrypted_pgcrypto'
And then execute:
$ bundle
Your platform may not ship with the pgcrypto extensions by default. On Ubuntu, run:
apt-get install postgresql-contrib-9.1
Generate a migration to load the pgcrypto extension into your database. Your user will need superuser privileges to run this query, so you may need to manually run this via psql
as the postgres
user if your Rails database user does not have access.
execute("CREATE EXTENSION IF NOT EXISTS pgcrypto")
Extensions are database specific. To ensure that the extension is also enabled for your test database, rails needs to use the sql schema format. Edit config/application.rb
to set:
config.active_record.schema_format = :sql
Usage
See attr_encrypted's Custom encryptor documentation.
class User
attr_encrypted :ssn, :key => 'a secret key', :encryptor => AttrEncryptedPgcrypto::Encryptor, :encode => false
end
If you do not disable :encode
, attr_encrypted will base64 encode the output, defeating the purpose of being able to query the data directly from SQL.
This is an example - please don't actually embed your keys directly in your model as literal strings, or even commit them in your repository. I recommend storing your key in a .gitignored config/pgcrypto_key.txt file, having capistrano (or your preferred deployment utility) copy this from a local 'shared/' folder, and reading the value into Rails.application.config.pgcrypto
via an initializer.
Caveats
- Your key is embedded into any SQL queries. The key itself will be automatically filtered from your Rails logs. However, make sure you are using a secured or private connection between your Rails server and your database.
- Unlike the OpenSSL algorithms used in the default Encryptor,
pgp_sym_encrypt()
uses an IV and will generate different cipher text every call. While this is more secure, you will not be able to use attr_encrypted's find_by_ methods.
Benchmarks
pgcrypto comes out slightly faster than the OpenSSL implementation used in the default encryptor.
Benchmarking 10000 calls
user system total real
pgcrypto 1.640000 1.590000 3.230000 ( 11.775697)
openssl 15.740000 0.000000 15.740000 ( 15.704010)
Since pgcrypto is executed in a separate process, pay attention to the 'real' column for the relevant metric.
Setup spec/database.yml and run rake benchmark
to test the results on your own system. You may pass an optional 'count' parameter via rake "benchmark[100000]"
.
Compatability
Tested against:
- MRI Ruby 2.7
- Rails 6
- attr_encrypted 3.1.0
- PostgreSQL 11.8
Credits
The bulk of this code is a humble verbatim copy and paste job from jmazzi's crypt_keeper gem. Thanks, Justin!
Contributing
- Fork it
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request