Guidelines for key and salt about crypt_keeper HOT 7 CLOSED

@creativetags that's not a good idea. If you implement it like this, the salt will change between instances of that model because salt will be a new value each time. The value of salt and key need to stay the same or you will not be able to decrypt the data.

You should generate the key and salt via the code I sent you earlier, then place the string values in the model.

~ ➤ ruby -e "require 'securerandom'; puts SecureRandom.hex(64)"                                                                                                                                                                                                                      
5e89c42dbe6c000fcdc1e32ce7cc6fc296f41baaa9282a92a080359a0cb56294b59871f93c5e9f76411cc6ee557ab6c9f0a3421cd739a7210158dc1c19d516b9
~ ➤ ruby -e "require 'securerandom'; puts SecureRandom.hex(64)"                                                                                                                                                                                                                      
744ca2298ee91af3320281270d9a7b55925dcd605dbe58100e11276078747ea15c10ef38008d9bb30e0d3db372d14a3a26d115d8a43a084e9f717322f8ada6be
~ ➤   

class Model < ActiveRecord::Base
  crypt_keeper :field, 
    :encryptor => :mysql_aes_new,
    :key => "5e89c42dbe6c000fcdc1e32ce7cc6fc296f41baaa9282a92a080359a0cb56294b59871f93c5e9f76411cc6ee557ab6c9f0a3421cd739a7210158dc1c19d516b9"
    :salt => "744ca2298ee91af3320281270d9a7b55925dcd605dbe58100e11276078747ea15c10ef38008d9bb30e0d3db372d14a3a26d115d8a43a084e9f717322f8ada6be"
end

You can pass in the salt and key using ENV variables like you demonstrated above, they values just cant change.

Encryption is model level, you should be using the same key/salt for all columns.

from crypt_keeper.

@swaps19 thanks for the suggestion! I've opened #153 to get this added, likely to land in master next week.

from crypt_keeper.

@creativetags I would recommend at least 32, the above example uses 64. Salt and key should be two distinct random strings. Here is a simple way to generate a strong key and salt.

ruby -e "require 'securerandom'; puts SecureRandom.hex(64)"

Can you explain your column question in more detail?

from crypt_keeper.

Thanks @jmazzi. By 'column' I mean attribute in the database. Here's what I'm thinking of doing:

crypt_keeper :field, :encryptor => :mysql_aes_new, :key => ENV['TOKEN_KEY'], salt: SecureRandom.hex(64)

where TOKEN_KEY is like a SECRET_TOKEN that is SecureRandom.hex(64) generated one time.

from crypt_keeper.

Ok, great. That's what I wanted to know. Thanks

from crypt_keeper.

@creativetags no problem. I should mention that the key and salt are used to create a derived passphrase using PBKDF2. That's all it's used for.

from crypt_keeper.

@jmazzi It would be great if you place this information in the readme file itself. As many new users might face this situation.

from crypt_keeper.