Home / Ruby / Security

Modern encryption for Rails

Lockbox 🔒 File encryption for Ruby and Rails Supports Active Storage and CarrierWave Uses AES-GCM by default for authenticated encryption Makes key rotation easy Check out this post for more info on securing se
Information
Category: Ruby / Security
Watchers: 12
Star: 1.3k
Fork: 66
Last update: Nov 27, 2023
Resource links
https://github.com/ankane/lockbox

Lockbox

🔒 File encryption for Ruby and Rails

Check out this post for more info on securing sensitive data with Rails

Build Status

Installation

Add this line to your application’s Gemfile:

gem 'lockbox'

Key Generation

Generate an encryption key

SecureRandom.hex(32)

Store the key with your other secrets. This is typically Rails credentials or an environment variable (dotenv is great for this). Be sure to use different keys in development and production. Keys don’t need to be hex-encoded, but it’s often easier to store them this way.

Alternatively, you can use a key management service to manage your keys.

Files

Create a box

box = Lockbox.new(key: key)

Encrypt

ciphertext = box.encrypt(File.binread("license.jpg"))

Decrypt

box.decrypt(ciphertext)

Active Storage

Add to your model:

class User < ApplicationRecord
  has_one_attached :license
  attached_encrypted :license, key: key
end

Works with multiple attachments as well.

class User < ApplicationRecord
  has_many_attached :documents
  attached_encrypted :documents, key: key
end

There are a few limitations to be aware of:

  • Metadata like image width and height are not extracted when encrypted
  • Direct uploads cannot be encrypted

CarrierWave

Add to your uploader:

class LicenseUploader < CarrierWave::Uploader::Base
  encrypt key: key
end

Encryption is applied to all versions after processing.

Serving Files

To serve encrypted files, use a controller action.

def license
  send_data @user.license.download, type: @user.license.content_type
end

Use read instead of download for CarrierWave.

Key Rotation

To make key rotation easy, you can pass previous versions of keys that can decrypt.

Lockbox.new(key: key, previous_versions: [{key: previous_key}])

For Active Storage use:

class User < ApplicationRecord
  attached_encrypted :license, key: key, previous_versions: [{key: previous_key}]
end

To rotate existing files, use:

user.license.rotate_encryption!

For CarrierWave, use:

class LicenseUploader < CarrierWave::Uploader::Base
  encrypt key: key, previous_versions: [{key: previous_key}]
end

To rotate existing files, use:

user.license.rotate_encryption!

Algorithms

AES-GCM

The default algorithm is AES-GCM with a 256-bit key. Rotate the key every 2 billion files to minimize the chance of a nonce collision, which will leak the key.

XChaCha20

Install Libsodium >= 1.0.12 and add rbnacl to your application’s Gemfile:

gem 'rbnacl'

Then pass the algorithm option:

# files
box = Lockbox.new(key: key, algorithm: "xchacha20")

# Active Storage
class User < ApplicationRecord
  attached_encrypted :license, key: key, algorithm: "xchacha20"
end

# CarrierWave
class LicenseUploader < CarrierWave::Uploader::Base
  encrypt key: key, algorithm: "xchacha20"
end

Make it the default with:

Lockbox.default_options = {algorithm: "xchacha20"}

You can also pass an algorithm to previous_versions for key rotation.

Key Management

You can use a key management service to manage your keys with KMS Encrypted.

For Active Storage, use:

class User < ApplicationRecord
  attached_encrypted :license, key: :kms_key
end

For CarrierWave, use:

class LicenseUploader < CarrierWave::Uploader::Base
  encrypt key: -> { model.kms_key }
end

Note: KMS Encrypted’s key rotation does not know to rotate encrypted files, so avoid calling record.rotate_kms_key! on models with file uploads for now.

Reference

Pass associated data to encryption and decryption

box.encrypt(message, associated_data: "bingo")
box.decrypt(ciphertext, associated_data: "bingo")

History

View the changelog

Contributing

Everyone is encouraged to help improve this project. Here are a few ways you can help:

2 Open More issues
Closed

Lockbox doesn't work with fields where used `money-rails` gem

Hello guys and thanks for your work.

I am trying to use your gem to encrypt salary fields in our application with other gem money rails that handle all salary fields. I'm a little stuck because I can't monetize encrypted fields after applying all migrations. For example, we have a model:

class Bill < ApplicationRecord
  monetize :payment_amount_cents, numericality: { greater_than: 0 }

  validates :payment_amount, numericality: true, presence: true

  encrypts :payment_amount_cents, type: :integer
end

In my case, this implementation does not work, although it does not issue errors. It just doesn't update the field payment_amount in database.

Do you have an idea how to implement this?

opened Mar 25, 2021 by Synkevych 13
Closed

"TypeError: can't convert message to string" error when migrating actiontext

Hello,

I am following the documentation, seems simple :), but when I do "Lockbox.migrate(ActionText::RichText)" in the console, I get this error message: "TypeError: can't convert message to string".

I've search on the internet and in the passed lockbox issue but I cannot figured out where is the problem.

Is someone run onto this problem ?

Thanks in advance for answers.

opened Jun 25, 2020 by Nodalailama 11
Closed

Ideas

0.7.0

  • [x] Drop support for Active Record < 5.2 and Ruby < 2.6
  • [x] Raise an error for unsupported versions of Active Record and CarrierWave

1.0.0 (breaking)

  • [ ] Add binary option to replace encode and encode by default for Lockbox.new
  • [ ] [maybe] Decode to UTF-8 unless binary: true - utf8 branch
  • [ ] Don't encode in Base64 for binary database fields (if simple to implement)
  • [ ] [maybe] Create new blobs when blobs are attached without encrypted flag

Considering

  • [ ] Lockbox::Redis and Lockbox::Dalli for cache stores (probably better as separate gem) - cache_stores branch - or Lockbox::Cache::Store for Active Support cache store
  • [ ] Prefer encrypt_attribute and decrypt_attribute over generate_attribute_ciphertext and decrypt_attribute_ciphertext
  • [ ] Don't return virtual attributes in attribute methods (attributes, attribute_names, has_attribute?) unless the ciphertext attribute is present
  • [ ] Use Fiddle for Libsodium - libsodium branch
  • [ ] Warn (and eventually throw error) if the master key is passed to Lockbox.new
  • [ ] Require allow_empty option to encrypt empty string without padding
  • [ ] Encrypt empty strings in database fields - model_empty_string branch
  • [ ] Add support for encrypted Active Storage service (can wrap any other service) - more useful in 6.1+ since multiple services are supported (blocked since encryption needs to happen before checksum is computed)
  • [ ] Store the encryption version to make it easy to see which data has been rotated and avoid trying multiple keys. Could be done in an optional new field (email_ciphertext_version, license_version, blob metadata) or directly in the ciphertext (needs to work for files/binary data)
  • [ ] Prefer encrypts over encrypt for CarrierWave
  • [ ] Default padding for encoded strings to reduce data leakage (cons: less standard, slightly more space)
  • [ ] Prefer ActiveSupport.on_load(:action_text_rich_text) { ActionText::RichText.encrypts :body } over Lockbox.encrypts_action_text_body (more code but less magic)
  • [ ] Add associated_data option to models
  • [ ] Add pretty_print method (similar to inspect)

On hold

  • [ ] Support for streaming encryption (probably not needed) - streaming branch
  • [ ] Better support for KMS (store key in data/metadata instead of DB) - kms_encrypt branch
  • [ ] Shrine support - shrine branch - WIP
opened Jan 21, 2019 by ankane 11
Closed

Lockbox::DecryptionError (Decryption failed) when rotating

When I try to rotate the key I get Lockbox::DecryptionError (Decryption failed) (even in master, which helped in this issue)

Steps to reproduce:

  1. I have a master key in place here: Rails.application.credentials.lockbox[:master_key]

  2. Suppose it got leaked. I generate a new key: Lockbox.generate_key

  3. I store it as the new master_key here: Rails.application.credentials.lockbox[:master_key]

  4. The old one is now old_master_key here: Rails.application.credentials.lockbox[:old_master_key]

  5. I modify my User model with: encrypts :email, :unconfirmed_email, previous_versions: [{master_key: Rails.application.credentials.lockbox[:old_master_key]}]

  6. I run Lockbox.rotate(User, attributes: [:email, :unconfirmed_email])

  7. I get Lockbox::DecryptionError (Decryption failed)

opened Feb 9, 2021 by herunan 9
Closed

Lockbox::DecryptionError even when the old key is provided in previous_versions

I install lockbox-0.3.1 I set up a model with encrypts :patron_email I run the migration add_column :r_and_r_items, :patron_name_ciphertext, :text I set my master key in dev:

lockbox_master_key: '0000000000000000000000000000000000000000000000000000000000000000'

I persist an item with this key. It's persisted correctly -- the value in the database is encrypted, and the value as shown is correct.

Let's suppose my key is compromised. I now change the lockbox_master_key used to

lockbox_master_key: '000000000000000000000000000000000000000000000000000000000000aaaa'

As expected, I get a Lockbox::DecryptionError: Decryption failed if I try to decrypt the encoded patron_email with the new key.

I now change the model to:

encrypts :patron_email, previous_versions: [{key: "0000000000000000000000000000000000000000000000000000000000000000"}]

Expected behavior:

Lockbox attempts to decypher the encrypted patron_email, fails, then tries with the key listed in previous_versions, succeeds, and returns that.

Actual behavior:

Lockbox::DecryptionError: Decryption failed is thrown.

opened Feb 12, 2020 by eddierubeiz 9
Closed

NoMethodError: undefined method `except' for false:FalseClass

Hey Ankane,

I'm getting an error that's related to ActiveStorage. Here's the relevant backtrace:

NoMethodError: undefined method 'except' for false:FalseClass ruby-2.6.3/gems/lockbox-0.2.0/lib/lockbox/utils.rb:4:in 'build_box' ruby-2.6.3/gems/lockbox-0.2.0/lib/lockbox/active_storage_extensions.rb:18:in 'encrypt_attachable' ruby-2.6.3/gems/lockbox-0.2.0/lib/lockbox/active_storage_extensions.rb:55:in 'attach' ruby-2.6.3/gems/active_storage_base64-0.1.4/lib/active_storage_support/base64_one.rb:5:in 'attach'

It's happening on my User model where I have a bunch of encrypted attributes, and two has_one_attached avatars which I'm not encrypting.

I'm still going through the Lockbox code, however my hunch is that Lockbox is trying to attach to the has_one_attached attribute even though I haven't flagged it as encrypted, and returns false because of it.

I've forked the repo and disabled the loading of the ActiveStorage classes in railties.rb and everything works fine.

Keen to continue using Lockbox! Thanks for your work!

  • Adrian
awaiting response 
opened Jul 18, 2019 by sparrowflights 8
Open

Idea: console1984 integration

Love this library, just so well thought through, thank you!

We're adding console1984 and would love the same no-decrypt-by-default that it has for AR Encryption: https://github.com/basecamp/console1984?tab=readme-ov-file#access-to-encrypted-data

Is that possible?

opened Oct 31, 2023 by bmulholland 0
Open

Ideas

Please create a new issue to discuss any ideas or share your own.

2.0

  • [ ] Change previous_versions to inherit top-level values (add warning first) - #180
  • [ ] Drop support for Ruby < 3, Rails < 6.1, and Mongoid < 7

Ideas

  • [ ] Add binary option to replace encode (and eventually encode by default for Lockbox.new)
  • [ ] Decode to UTF-8 unless binary: true - utf8 branch
  • [ ] (breaking) Don't encode in Base64 for binary database fields if simple to implement
  • [ ] (breaking) Create new blobs when blobs are attached without encrypted flag
  • [ ] Prefer encrypt_attribute and decrypt_attribute over generate_attribute_ciphertext and decrypt_attribute_ciphertext
  • [ ] Add support for cache stores (Lockbox::Redis and Lockbox::Dalli - cache_stores branch - or Lockbox::Cache::Store for Active Support cache store)
  • [ ] Don't return virtual attributes in attribute methods (attributes, attribute_names, has_attribute?) unless the ciphertext attribute is present
  • [ ] Use Fiddle for Libsodium - libsodium branch
  • [ ] Warn (and eventually throw error) if the master key is passed to Lockbox.new
  • [ ] Require allow_empty option to encrypt empty string without padding
  • [ ] Encrypt empty strings in database fields - model_empty_string branch
  • [ ] Add support for encrypted Active Storage service (can wrap any other service) - more useful in 6.1+ since multiple services are supported (blocked since encryption needs to happen before checksum is computed)
  • [ ] Store the encryption version to make it easy to see which data has been rotated and avoid trying multiple keys. Could be done in an optional new field (email_ciphertext_version, license_version, blob metadata) or directly in the ciphertext (needs to work for files/binary data)
  • [ ] Default padding for encoded strings to reduce data leakage (cons: less standard, slightly more space)
  • [ ] Prefer ActiveSupport.on_load(:action_text_rich_text) { ActionText::RichText.encrypts :body } over Lockbox.encrypts_action_text_body (more code but less magic)
  • [ ] Add pretty_print method (similar to inspect)

On hold

  • [ ] Support for streaming encryption (probably not needed) - streaming branch
  • [ ] Better support for KMS (store key in data/metadata instead of DB) - kms_encrypt branch
  • [ ] Shrine support - shrine branch - WIP
opened Jun 11, 2022 by ankane 0

Contents

    rails-api Rails for API only applications
    jasonswett Instant Rails is a Rails application template that comes with certain common tools, like Devise and RSpec, pre-installed.
    hothero A collection of awesome Ruby Gems for Rails development.
    pentagonal Store Encrypted Data [ support multiple DataType for Salt Key & Value ]
    iamMehedi A cryptography library and a SharedPreferences wrapper for Android that encrypts the content with 256 bit AES encryption. The Encryption key is securely stored in device's KeyStore.
    ruppde Crypto Puzzles is a tool and library to provide a bunch of functions for encryption or pseudo encryption as puzzles or brain teasers
    Screetsec imR0T: Send a quick message with simple text encryption to your whatsapp contact and protect your text by encrypting and decrypting, basically in ROT13 with new multi encryption based algorithm on ASCII and Symbols Substitution
    miscreant miscreant - Symmetric encryption library providing misuse-resistant authenticated encryption (MRAE) including AES-SIV (RFC 5297), AES-PMAC-SIV, and the STREAM segmented encryption construction
    davesag Jose-Simple allows the encryption and decryption of data using the JOSE (JSON Object Signing and Encryption) standard.
    ankane Simple, secure key management for Active Record encryption
    brandis-project Brandis: End-to-end encryption for everyone
    resilar SQLite3 encryption that sucks less
    weppos A simple Ruby on Rails plugin for creating and managing a breadcrumb navigation.
    richpeck 💣 CUSTOM ERROR PAGES 💣 for Ruby on Rails → Translate Ruby/Rails Exceptions Into Branded 4xx/5xx HTTP Error Pages.
    metaskills :-1: :train: Less.js For Rails
    basecamp Sign in (or up) with Google for Rails applications
    voormedia Generate Entity-Relationship Diagrams for Rails applications
    doorkeeper-gem Doorkeeper is an OAuth 2 provider for Ruby on Rails / Grape.
    rharriso bower-rails - Bundler-like DSL + rake tasks for Bower on Rails
    f GraphQL.js Rails for Rails 5
    zhusas Scripts for Rails production environment install on Ubuntu Server
    Share this repo

    Related Repos


    Security
    45
    Metasploit Modules Development
    0x727 Metasploit Modules Development
     
    Security
    26
    Application-level encryption for Redis and Memcached
    ankane Encrypts keys, values, list elements, set members, and hash fields while still being able to perform a majority of operations 🎉
     
    Security
    12
    Exports primitive and predefined GCP IAM Roles and their permissions
    darkbitio This repository fetches the ~550 primitive and predefined IAM Roles in JSON format to the roles directory. A GitHub Action is configured to refresh them daily. This allows for automatic tracking of changes as they are made by GCP.
     
    Security
    30
    Ruby sensitive filter using DFA algorithm
    luolinae86 Ruby sensitive filter using DFA algorithm
     
    Security
    14
    CVE-2020-8163 - Remote code execution of user-provided local names in Rails
    sh286 CVE-2020-8163 - Remote code execution of user-provided local names in Rails
     
    Security
    8
    jpm is a password manager using openssl and signify (and optionally xclip)
    jeremyevans jpm is a password manager using openssl and signify (and optionally xclip). Technically, it doesn't have anything to do with passwords, it just manages encrypted and signed files.
     
    Security
    242
    This tool is used to map out the network data flow to help penetration testers identify po...
    vonahisec This tool is used to map out the network data flow to help penetration testers identify potentially valuable targets
     
    Security
    1.3k
    Modern encryption for Rails
    ankane Lockbox 🔒 File encryption for Ruby and Rails Supports Active Storage and CarrierWave Uses AES-GCM by default for authenticated encryption Makes key rotation easy Check out this post for more info on securing se
     
    Security
    1.3k
    Authorization framework for Ruby/Rails applications
    palkan Action Policy Authorization framework for Ruby and Rails applications. Composable. Extensible. Performant. 📑 Documentation Resources RubyRussia, 2019 "Welcome, or access denied?" talk (video [RU],
     
    Security
    433
    A secret manager backed by Keybase and KBFS.
    kbsecret Warning: KBSecret is currently maintained on a best-effort basis. PRs are strongly preferred over new issues. KBSecret is a command line utility and library for managing secrets. Quick links: Installation instructions
     
    Security
    501
    Sign in (or up) with Google for Rails applications
    basecamp Google Sign-In for Rails This gem allows you to add Google sign-in to your Rails app. You can let users sign up for and sign in to your service with their Google accounts. Installation Add google_sign_in to your Rails
     
    Security
    1.8k
    Checklist of security precautions for Ruby on Rails applications.
    brunofacca Zen Rails Security Checklist Summary This document provides a not necessarily comprehensive list of security measures to be implemented when developing a Ruby on Rails application. It is designed to serve as a quick re
     
    Security
    191
    Freeze all core ruby classes
    jeremyevans Refrigerator Refrigerator offers an easy way to freeze all ruby core classes and modules. It's designed to be used in production to make sure that no code is making unexpected changes to core classes or modules at runtime.
     
    Security
    126
    Underlock makes it dead simple to encrypt and decrypt your data and files. It comes with l...
    metaware Underlock Underlock makes it dead simple to encrypt and decrypt your data and files. It comes with little to no dependencies and has a very small API surface. Installation Add this line to your application's Gemfi
     
    Security
    1.3k
    :key: Community-driven Rails Security Checklist (see our GitHub Issues for the newest chec...
    eliotsykes Rails Security Checklist This checklist is limited to Rails security precautions and there are many other aspects of running a Rails app that need to be secured (e.g. up-to-date operating system and other software) that this does