Enkrip

Encrypt & decrypt Active Record's model attributes with ActiveSupport::MessageEncryptor. See Enkrip Example Rails Application for demo.

Goals

• Seamlessly encrypt and decrypt value for both string and numeric attribute
• Compatible with Active Model validation
• Automatically convert numeric attributes to desired format after decryption

Limitations

• All attributes that are defined in numeric_attributes will be forced to use UTF-8 encoding
• Enkrip requires Active Record 5.2 or newer
• Does not compatible with activerecord-import
• In some cases, does not compatible with ActiveRecord::Attributes

Installation

Add enkrip to your Rails app’s Gemfile and run bundle install:

gem 'enkrip'

Configuration

After installation, you need to define ENKRIP_LENGTH, ENKRIP_SALT, and ENKRIP_SECRET environment variables:

# example
# 32 is default value from ActiveSupport::MessageEncryptor.key_len
export ENKRIP_LENGTH=32

# you can generate this value with SecureRandom.random_bytes(YOUR_ENKRIP_LENGTH)
export ENKRIP_SALT=random_salt_with_length_32

# 32 random characters
export ENKRIP_SECRET=random_secret_with_length_32

Usage

Use text data type for encrypted attributes

# migration

class CreatePosts < ActiveRecord::Migration[5.2]
  def change
    create_table :posts do |t|
      t.text :my_string
      t.text :my_numeric

      t.timestamps
    end
  end
end

After run the migration, define your encrypted attributes

# Active Record model

class Post < ActiveRecord::Base
  include Enkrip::Model

  enkrip_configure do |config|
    config.string_attributes << :my_string
    config.numeric_attributes << :my_numeric
    config.purpose = :example # optional, default is nil
    config.convert_method_for_numeric_attribute = :to_f # optional, default is to_i
    config.default_value_if_numeric_attribute_blank =  0.0 # optional, default is 0
  end

  validates :my_numeric, numericality: { greater_than: 0 }
  validates :my_string, presence: true
end

You can check encrypted value from rails console with raw query

# Rails 5.2 console
post = Post.new => #<Post id: nil, my_string: nil, my_numeric: nil, created_at: nil, updated_at: nil>
post.valid? # => false
post.errors.full_messages # => ["My numeric must be greater than 0", "My string can't be blank"]

post.my_string = "aloha" # => "aloha"
post.my_numeric = 5 # => 5
post.save # => true

raw = ActiveRecord::Base.connection.exec_query 'SELECT my_string, my_numeric FROM posts limit 1'

raw.rows.first[raw.columns.find_index('my_string')]
# => "TUVQcnRBck5oYzMvRlRZUWR3Mzlzdz09LS1tZ09xNGNYbnkzdFc2d1duMEIrdUdBPT0=--ffae1f04753ca5c636915746a4c6fccf81897138"

raw.rows.first[raw.columns.find_index('my_numeric')]
# => "TkdSbURRNzVMbUF6MjF0bjI2ZEtmQT09LS1rRHhqQ2xpWGhYaHBoRlhCRnVZSmh3PT0=--74e45e6c96df78258a1731994a71a74c5047d655"

post.reload
post.my_string # => "aloha"
post.my_numeric # => 5

Usage For non-Active Record Model

You can use Enkrip::Engine.encrypt and Enkrip::Engine.decrypt to encrypt and decrypt a value.

my_string = 'hello world'

encrypted_my_string = Enkrip::Engine.encrypt my_string
# => "MzZ1M0RDSWdQQ0VaRVJXT3NBYlVTWExWVnVSbXNBeXRMSC9wYWdoeW5Ddz0tLVNVT2l6NDJCd1ZxbW1lYnl2eC9PakE9PQ==--c7436c403595c18fef802a51be29f73d5bb73f19"

Enkrip::Engine.decrypt encrypted_my_string
# => "hello world"

You can pass purpose to the Enkrip::Engine.decrypt and Enkrip::Engine.encrypt.

# you can pass purpose parameter, default purpose is nil.
second_string = 'hello world 2'
another_encrypted_my_string = Enkrip::Engine.encrypt second_string, purpose: :example_purpose

Enkrip::Engine.decrypt another_encrypted_my_string, purpose: :random_purpose # => nil
Enkrip::Engine.decrypt another_encrypted_my_string # => nil
Enkrip::Engine.decrypt another_encrypted_my_string, purpose: :example_purpose # => "hello world 2"

License

Enkrip is released under the MIT License.