Comments (8)
It seems weird to use a migration encryptor IMO, since you could end up with data encrypted by either the old or new styles. If I were migrating data from one version to another, I would write a script to do it on all models immediately. I think we should encourage people to do the same.
The code above looks fine, I just think we should make people deal with the migration at once instead of spreading it out until every model has been saved.
from crypt_keeper.
Maybe this could even be packaged as an ActiveRecord::Migration
helper. Then you could migrate in two steps:
- Edit the model and specify the new encryptor
- Create an irreversible migration with something like
crypt_keeper_migrate :table_name, :old_encryptor
from crypt_keeper.
@itspriddle how could the end up with old encryption? Doing Model.all { |m| m.save } would re-encrypt everything with the new encryption.
from crypt_keeper.
@itspriddle I like the idea of db migration, hmmm
from crypt_keeper.
Looks good overall, my only concern is that it seems we will need to keep
the old versions around. If that is the case, maybe we should have some
kind of versioning mechanism?
On Feb 17, 2014 10:39 PM, "Justin Mazzi" [email protected] wrote:
Models can be migrated by use the migrate encryptors. Example:
:migrate_aes or :migrate_mysql_aes. This works by attempting to read the
data using the old encryption method and falling back to the new method.
Encryption always uses the new method@fabiokr https://github.com/fabiokr @itspriddlehttps://github.com/itspriddlewhat are your thoughts on the below? It's pretty rough but seems to work in
my testing.require 'digest/sha2'require 'openssl'require 'base64'
module CryptKeeper
module Provider
class OldMysqlAes < CryptKeeper::Provider::MysqlAes
def initialize(options = {})
@key = options.fetch(:key)
end
endclass MigrateMysqlAes def initialize(options = {}) @new_enc = CryptKeeper::Provider::MysqlAes.new(options) @old_enc = OldMysqlAes.new(options) end def decrypt(value) plain_text = @old_enc.decrypt(value) if plain_text.blank? @new_enc.decrypt(value) else plain_text end end def encrypt(value) @new_enc.encrypt(value) end end class OldAes SEPARATOR = ":crypt_keeper:" attr_accessor :key attr_accessor :aes def initialize(options = {}) @aes = ::OpenSSL::Cipher::Cipher.new("AES-256-CBC") @aes.padding = 1 key = options.fetch(:key) do raise ArgumentError, "Missing :key" end @key = Digest::SHA256.digest(key) end def encrypt(value) aes.encrypt aes.key = key Base64::encode64("#{aes.random_iv}#{SEPARATOR}#{aes.update(value.to_s) + aes.final}") end def decrypt(value) iv, value = Base64::decode64(value.to_s).split(SEPARATOR) aes.decrypt aes.key = key aes.iv = iv aes.update(value) + aes.final end def search(records, field, criteria) records.select { |record| record[field] == criteria } end end class MigrateAes def initialize(options = {}) @new_enc = CryptKeeper::Provider::Aes.new(options) @old_enc = OldAes.new(options) end def decrypt(value) plain_text = @old_enc.decrypt(value) if plain_text.blank? @new_enc.decrypt(value) else plain_text end end def encrypt(value) @new_enc.encrypt(value) end end
endend
Reply to this email directly or view it on GitHubhttps://github.com//issues/63
.
from crypt_keeper.
@itspriddle how could the end up with old encryption? Doing Model.all { |m| m.save } would re-encrypt everything with the new encryption.
That is true – I didn't realize that was your intention. The migrators made it seem like you wanted to re-encrypt on demand.
from crypt_keeper.
My plan was to remove them in 0.17 release
On Feb 18, 2014, at 10:30 AM, Fabio Kreusch [email protected] wrote:
Looks good overall, my only concern is that it seems we will need to keep
the old versions around. If that is the case, maybe we should have some
kind of versioning mechanism?
On Feb 17, 2014 10:39 PM, "Justin Mazzi" [email protected] wrote:Models can be migrated by use the migrate encryptors. Example:
:migrate_aes or :migrate_mysql_aes. This works by attempting to read the
data using the old encryption method and falling back to the new method.
Encryption always uses the new method@fabiokr https://github.com/fabiokr @itspriddlehttps://github.com/itspriddlewhat are your thoughts on the below? It's pretty rough but seems to work in
my testing.require 'digest/sha2'require 'openssl'require 'base64'
module CryptKeeper
module Provider
class OldMysqlAes < CryptKeeper::Provider::MysqlAes
def initialize(options = {})
@key = options.fetch(:key)
end
endclass MigrateMysqlAes
def initialize(options = {})
@new_enc = CryptKeeper::Provider::MysqlAes.new(options)
@old_enc = OldMysqlAes.new(options)
enddef decrypt(value)
plain_text = @old_enc.decrypt(value)if plain_text.blank?
@new_enc.decrypt(value)
else
plain_text
end
enddef encrypt(value)
@new_enc.encrypt(value)
end
endclass OldAes
SEPARATOR = ":crypt_keeper:"attr_accessor :key
attr_accessor :aesdef initialize(options = {})
@aes = ::OpenSSL::Cipher::Cipher.new("AES-256-CBC")
@aes.padding = 1key = options.fetch(:key) do
raise ArgumentError, "Missing :key"
end@key = Digest::SHA256.digest(key)
enddef encrypt(value)
aes.encrypt
aes.key = key
Base64::encode64("#{aes.random_iv}#{SEPARATOR}#{aes.update(value.to_s) + aes.final}")
enddef decrypt(value)
iv, value = Base64::decode64(value.to_s).split(SEPARATOR)
aes.decrypt
aes.key = key
aes.iv = iv
aes.update(value) + aes.final
enddef search(records, field, criteria)
records.select { |record| record[field] == criteria }
end
endclass MigrateAes
def initialize(options = {})
@new_enc = CryptKeeper::Provider::Aes.new(options)
@old_enc = OldAes.new(options)
enddef decrypt(value)
plain_text = @old_enc.decrypt(value)if plain_text.blank?
@new_enc.decrypt(value)
else
plain_text
end
enddef encrypt(value)
@new_enc.encrypt(value)
end
end
endendReply to this email directly or view it on GitHubhttps://github.com//issues/63
.—
Reply to this email directly or view it on GitHub.
from crypt_keeper.
Closed via #67
from crypt_keeper.
Related Issues (20)
- ActiveRecord::SubclassNotFound: Invalid single-table inheritance type: Firm is not a subclass of
- Feature Request: Sorting encrypted attributes
- Failure to support encryption for :string column type HOT 3
- jamming config.active_record.verbose_query_logs = true HOT 1
- Delayed job: ActiveSupport::MessageEncryptor::InvalidMessage HOT 15
- How to use WHERE LIKE queries on encrypted fields? HOT 1
- Rails 6 support HOT 1
- Rails 6 support HOT 9
- ActiveRecord send indavlid data to database using PostgresPgp with binary column type HOT 3
- undefined method `crypt_keeper' for CryptKeeper::Model::ClassMethods:Module
- String length validation for encrypted filed? HOT 3
- Support Rails 6.1.0 HOT 5
- ActiveSupport::MessageEncryptor::InvalidMessage after upgrading from Rails 5.2.6 to 6.0.4 HOT 2
- Devise & Crypt-Keeper for same model HOT 2
- Incorrect rails 7 dependency specified in Gemspec HOT 5
- crypt_keeper re-encrypts attributes on every save HOT 1
- Cannot have multiple encryptors on one model HOT 2
- Allow rails 7.0.X HOT 3
- `decrypt_table!` fails with unencrypted data
- crypt_keeper 2.3.0 not compatible with rails 7.0.8.4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crypt_keeper.