Comments on: Simple Two Way Encryption for Ruby on Rails http://www.erichurst.com/simple-two-way-encryption-for-ruby-on-rails/ Ruby on Rails Developer Sat, 14 Nov 2009 20:00:05 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: sco http://www.erichurst.com/simple-two-way-encryption-for-ruby-on-rails/comment-page-1/#comment-5774 sco Sat, 14 Nov 2009 20:00:05 +0000 http://www.erichurst.com/?p=361#comment-5774 Very cool, nice that the gem supports that. Another solution (sort of) is to use asymmetric (public key) encryption -- so that one key is used to encrypt stuff, but another key is require to decrypt it. E.g., if you're storing credit card numbers, you could set up a separate billing server with the private key, and keep it behind a very tight firewall. That way, you could give your attacker access to the whole database and application without revealing the secrets. Here's an old-but-good writeup on that approach: http://blog.leetsoft.com/2006/03/14/simple-encryption Very cool, nice that the gem supports that.

Another solution (sort of) is to use asymmetric (public key) encryption — so that one key is used to encrypt stuff, but another key is require to decrypt it. E.g., if you’re storing credit card numbers, you could set up a separate billing server with the private key, and keep it behind a very tight firewall. That way, you could give your attacker access to the whole database and application without revealing the secrets. Here’s an old-but-good writeup on that approach: http://blog.leetsoft.com/2006/03/14/simple-encryption

]]> By: Eric Hurst http://www.erichurst.com/simple-two-way-encryption-for-ruby-on-rails/comment-page-1/#comment-5773 Eric Hurst Sat, 14 Nov 2009 19:20:03 +0000 http://www.erichurst.com/?p=361#comment-5773 Sco, You are quite right. Sean addresses this challenge here: <a href="http://wiki.github.com/shuber/attr_encrypted/questionsandanswers" rel="nofollow">http://wiki.github.com/shuber/attr_encrypted/questionsandanswers</a>. Basically, set the key as a proc, and require the user to enter a password anytime they wish to access any encrypted data. Sco,

You are quite right. Sean addresses this challenge here: http://wiki.github.com/shuber/attr_encrypted/questionsandanswers. Basically, set the key as a proc, and require the user to enter a password anytime they wish to access any encrypted data.

]]> By: sco http://www.erichurst.com/simple-two-way-encryption-for-ruby-on-rails/comment-page-1/#comment-5772 sco Sat, 14 Nov 2009 19:15:15 +0000 http://www.erichurst.com/?p=361#comment-5772 Nice article. I think it's worth mentioning, though, that the encrypted data is only as safe as the key. So if an attacker just got access to the database, the SSNs are safe. But if they got access to the app server (or your git repo, or whatever), then the secrets would be out. Nice article. I think it’s worth mentioning, though, that the encrypted data is only as safe as the key. So if an attacker just got access to the database, the SSNs are safe. But if they got access to the app server (or your git repo, or whatever), then the secrets would be out.

]]>