We have upgraded our application to rails 7, and we are now having issues with the attr_encrypted gem. When we try start a rails server/console we get the following error:
gems/ruby-3.0.2/gems/attr_encrypted-3.1.0/lib/attr_encrypted.rb:176:in `block in attr_encrypted': undefined method `[]=' for nil:NilClass (NoMethodError)
If we revert back to rails 6 the error disappears, has anyone experienced the same issue?
So I have finally figured out what's going on.
Rails 7.0 has it's own encryption, both the attr_encrypted gem and rails 7 refer to the variable encrypted_attributes and the rails 7 variable takes precedence making the gem useless. There is a PR on the attr_encrypted gem to fix this but the gem has not been updated in years and I doubt it will be now.
GoRails published a tutorial on how to migrate your data from using attr_encrypted to using the rails 7 encryption. I did not want to pay for it so I checked out the git repo for the tutorial.
What they did is they decrypted the data themselves in a migration and updated the new encrypted fields manually.
Here is the link to their migration. https://github.com/gorails-screencasts/migrate-attr_encrypted-to-rails-7-encryption/blob/master/db/migrate/20211005214633_migrate_encrypted_attributes.rb
A new version 4.0.0 of the gem attr_encrypted was released on April 6 2023 and it comes with Rails 7 support.
Based on previous answer, a complete migration in both directions:
class SwitchToRailsBuiltInEncryption < ActiveRecord::Migration[7.0]
ATTRIBUTES = [
[Account, :password],
[Account, :client_secret],
]
def up
ATTRIBUTES.each do |klass, attribute|
klass.reset_column_information
add_column klass.table_name, attribute, :string, length: 510
klass.all.each do |record|
puts "Processing #{klass} with ID #{record.id}"
if record.send("encrypted_#{attribute}").present?
encrypted_value = record.send("encrypted_#{attribute}")
iv = record.send("encrypted_#{attribute}_iv")
value = decrypt(encrypted_value, iv)
record.update!(attribute => value)
end
end
remove_column klass.table_name, "encrypted_#{attribute}"
remove_column klass.table_name, "encrypted_#{attribute}_iv"
end
end
def down
ATTRIBUTES.each do |klass, attribute|
add_column klass.table_name, "encrypted_#{attribute}", :string, length: 510
add_column klass.table_name, "encrypted_#{attribute}_iv", :string, length: 510
klass.all.each do |record|
puts "Processing #{klass} with ID #{record.id}"
if record.send(attribute).present?
encrypted_value, iv = encrypt(record.send(attribute))
record.update!("encrypted_#{attribute}" => encrypted_value, "encrypted_#{attribute}_iv" => iv)
end
end
remove_column klass.table_name, attribute
end
end
# based on https://github.com/gorails-screencasts/migrate-attr_encrypted-to-rails-7-encryption/blob/master/db/migrate/20211005214633_migrate_encrypted_attributes.rb
# as suggested by https://stackoverflow.com/questions/72096672/using-attr-encrypted-with-rails-7
def decrypt(encrypted_value, iv)
value = Base64.decode64(encrypted_value)
cipher = OpenSSL::Cipher.new("aes-256-gcm")
cipher.decrypt
cipher.key = Rails.application.credentials.key
cipher.iv = Base64.decode64(iv)
cipher.auth_tag = value[-16..]
cipher.auth_data = ""
cipher.update(value[0..-17]) + cipher.final
end
def encrypt(value)
cipher = OpenSSL::Cipher.new("aes-256-gcm")
cipher.encrypt
cipher.key = Rails.application.credentials.key
iv = cipher.random_iv
cipher.auth_data = ""
encrypted_value = cipher.update(value) + cipher.final
return Base64.encode64(encrypted_value + cipher.auth_tag), Base64.encode64(iv)
end
end
