1

I'm using the attr_encrypted gem and I got also devise installed in my environment.

I got a user model this is handled by devise and the database column is: encrypted_password

Users can save clients and I want to encrypt the clients name and age with the users password.

my client.rb file looks like this: Here the data gets encrypted successfully.

class Client < ActiveRecord::Base

  attr_accessor :name :age 
  attr_encrypted :name, :age, key: "test1234"

But I'd like to encrypt the data with the Users.password. Something like so:

class Client < ActiveRecord::Base

  attr_accessor :name :age 
  attr_encrypted :name, :age, key: current_user.encrypted_password

The current_user is the Devise helper method but since this is from a session I can't access it in a model. Basically I'd like to encrypt all the clients stuff with users password. But If I do that with the encrypted_password then I already got the password to decrypt the whole field. I want to provide security to my users and I don't want to know or be able to view their data. So the only way to do this is by encrypting all the data with the prehashed devise users password?

edit:

The user.encrypted_password is already hashed and whenever I access the db - I can use this to decrypt all the data right?

So I should request the users password -> hash it like devise does - compare it with the users.encrypted_password?

Do I have a logic error somewhere ?

How would you solve this?

AME
  • 2,262
  • 6
  • 19
  • 39

2 Answers2

0

attr_encrypted provides a way to specify an instance method to provide the key.

class Client < ActiveRecord::Base
  attr_encrypted :name, :age, key: :client_key

  def client_key
    # just assuming relation between Client and User
    self.user.encrypted_password
  end
end

Source: https://github.com/attr-encrypted/attr_encrypted#symbols-representing-instance-methods-as-keys

marvs
  • 1
  • 1
  • So when I choose the user.encrypted_password it's the already hashed value - but I do have access to it. Could I just decrypt all his clients when I retrieve the users table for the encrypted_password? – AME Nov 21 '14 at 17:34
0

As you using Devise it uses bcrypt algorithm to encrypt your password which is one way encryption

ie this process is not reversible, there's no way to go from the hash back to the password. so you can use that hash for encrypting the whole data.

But my suggestion would be you use bcrypt algorithm for encrypting your data rather than using user password,reason why i am suggesting bcrypt rather than using your password a hash to encrypt your data

  • You will have re-encrypt you data each and every time when the user changes his password If you fail to do so in any occasion you wont be able to retrive you data back.
  • The overhead will more ie each time re-encrypting the data on password change
  • The encrypted_password will be very tightly coupled with the user data. I feel that the user data should be independent of password related to access and there should be a different independent encrypting for use data which is not related to user login or password

You can also ref : https://github.com/codahale/bcrypt-ruby

SRDP
  • 423
  • 8
  • 14
  • Your question gave me some insights but it's still very abstract to me. So you would suggest to just skip all the encryption because it's just not good at all? My main goal is still that I want to encrypt the data without being able to read. Only the user should be able to read his/her data. – AME Nov 29 '14 at 14:21
  • 1
    I dint mean encryption is not good at all,but the fact is you can only read the data of a user is when you have acess to the server and database,and if any one has access to the server and database i dont think just encrypting your db or user table will help as the application will decrypt the data if a user access it ,so any person with access to server can easily de-crypt it. Best way to protect your user data is put multi-level security . But if you want to encrypt so you can chek out [link](https://github.com/spikex/strongbox) – SRDP Nov 30 '14 at 09:34