Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/cyberdelia/sequel-vault

Encrypt Sequel attribute
https://github.com/cyberdelia/sequel-vault

encryption sequel sequel-plugin

Last synced: 29 days ago
JSON representation

Encrypt Sequel attribute

Host: GitHub
URL: https://github.com/cyberdelia/sequel-vault
Owner: cyberdelia
License: mit
Created: 2015-04-05T19:44:26.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2018-01-14T22:45:25.000Z (almost 7 years ago)
Last Synced: 2024-05-02T05:54:01.216Z (7 months ago)
Topics: encryption, sequel, sequel-plugin
Language: Ruby
Homepage: https://rubygems.org/gems/sequel_vault
Size: 16.6 KB
Stars: 5
Watchers: 2
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

# Sequel-vault

Use [fernet](https://github.com/fernet/fernet-rb) to encrypt columns values in your Sequel database.

## Installation

Install it directly using gem:

```
gem install sequel_vault
```

Or adding it to your ``Gemfile``:

```
gem "sequel_vault"
```

## Usage

## Configure

A straightforward example, passing keys and columns that will be encrypted
transparently:

```ruby
class Credential < Sequel::Model
plugin :vault, ['9cLL4qVO+bkEqGQtcvQX4Cz4uJ1ni9Nb83ipU/9klsw='], :token
end
```

Along with a typical migration for this setup:

```ruby
Sequel.migration do
change do
alter_table(:credentials) do
add_column(:token, :bytea)
add_column(:token_digest, :bytea)
add_column(:key_id, :smallint)
end
end
end
```

### Keys

Vault use [fernet](https://github.com/fernet/fernet-rb) behind the scene, the
keys should be 32 bytes of random data, base64-encoded.

To generate one you can use:

```console
$ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64
```

You can specify more than one key to be used. The last keys of the array will
be used as the default for encryption.

### Keys migration

If a ``key_id`` column is present, vault will set its value to the length of
the keys array. You can check if a key is still in use using:

```ruby
Credential.where(key_id: 1).empty?
```

You should avoid removing a key when using ``key_id``, unless you proceed to
migrate its value.

Here is a migration example to add a ``key_id`` column:

```ruby
Sequel.migration do
change do
alter_table(:credentials) do
add_column(:key_id, :smallint)
end
end
end
```

### Digest lookup

To allow lookup by a know secret, vault allow an optional digest column for each
encrypted attribute, using the ``_digest`` suffix:

```ruby
Sequel.migration do
change do
alter_table(:credentials) do
add_column(:token_digest, :bytea)
end
end
end
```

You can then lookup using the provided dataset lookup:

```ruby
Credential.token_lookup('secret')
```

### Unencrypted data

Vault will return plain-text data if none of the keys can successfully decrypt
the stored value, effectively allowing encrypt on write migration.