-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActiveRecord Encryption initializes with SHA1 and then new Rails 7 default switches to SHA256 #42922
Comments
@jorgemanrubia do you have any immediate thoughts on a good solution here? I have a feeling the fix here might also solve #42414 which I have been a bit stuck on. |
Fantastic report @boomer196. I'll take a stab at fixing this shortly. My first thoughts would be exposing an option to configure the digest class for ActionRecordEncryption, separated from the active support default (but probably @ghiculescu I'll have a look at #42414 too. Maybe could you follow up there with the problems you are seeing? |
@jorgemanrubia I agree. This is probably the best future proofing fix. This ensures that long-term encrypted persistence is configurable in case future defaults change. I think the number of iterations should be configurable too, in case the default of |
This issue has been automatically marked as stale because it has not been commented on for at least three months. |
Rails 7 uses `SHA256` as the new default digest. With this change, Active Record Encryption will use `SHA256` too. This can be configured with: ```ruby config.active_record.encryption.hash_digest_class = OpenSSL::Digest::SHA1 ``` This sets the 6.0 default as `SHA1`, so that early apps that adopted encryption before the new default changed continued working without setting any config. Fix rails#42922
ActiveRecord::Railtie
initialization fires beforeActiveSupport::Railtie
In
Rails::Application::Configuration#load_defaults(7.0)
it setsactive_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA256
Then in the
ActiveSupport::Railtie
it setsActiveSupport::KeyGenerator.hash_digest_class = active_support.key_generator_hash_digest_class
However, the
ActiveRecord::Railtie
configuresActiveRecord::Encryption
before this configuration change happens.What this causes is the
ActiveRecord::Encryption::Configurable.configure
to set thecontext.key_provider = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(primary_key)
, which uses theActiveSupport::KeyGenerator
fromActiveRecord::Encryption::KeyGenerator#derive_key_from
method. At this point it uses the classes defaulthash_digest_class
ofOpenSSL::Digest::SHA1
.After
ActiveSupport::Railtie
runs theActiveSupport::KeyGenerator.hash_digest_class
changes toOpenSSL::Digest::SHA256
I am not sure what the best fix is and there may be others, but a couple I can think of are:
ActiveRecord::Encryption
is "explicit" about how it configures/uses theActiveSupport::KeyGenerator
and possibly adds additional options forhash_digest_class
anditerations
. This removes the dependency. It also allows the database to live past future changes to ActiveSupport defaults.ActiveSupport::KeyGenerator
changes it's class default to beOpenSSL::Digest::SHA256
and thenew_framework_defaults_7_0.rb
file sets it back toOpenSSL::Digest::SHA1
Steps to reproduce
new_framework_defaults_7_0.rb
file andapplication.rb
changes toconfig.load_defaults 7.0
)bin/rails db:encryption:init
and adding the generated credentials (bin/rails credentials:edit
)bin/rails console
)Expected behavior
ActiveRecord::Encryption.key_provider.encryption_key.secret
\xE547G\xE7\x99?\x95\xAEX\xE1\xEFS\xE9p\x87}\x93\xF8\x8A\x9Ch\x80\x95#Bee\x95\nD\x7F
Actual behavior
ActiveRecord::Encryption.key_provider.encryption_key.secret
\x8B
\x17k\xA1\xC9:a\x05>N\x10\xE4\eYD\xCFUh\x10\x9Ep\x89\x10\x15vt\xE0\x94\xAAN
ActiveRecord::Encryption::DerivedSecretKeyProvider.new(primary_key).encryption_key.secret
\xE547G\xE7\x99?\x95\xAEX\xE1\xEFS\xE9p\x87}\x93\xF8\x8A\x9Ch\x80\x95#Bee\x95\nD\x7F
OpenSSL::PKCS5.pbkdf2_hmac(primary_key, key_derivation_salt, 2**16, 32, OpenSSL::Digest::SHA1.new)
\x8B
\x17k\xA1\xC9:a\x05>N\x10\xE4\eYD\xCFUh\x10\x9Ep\x89\x10\x15vt\xE0\x94\xAAN
OpenSSL::PKCS5.pbkdf2_hmac(primary_key, key_derivation_salt, 2**16, 32, OpenSSL::Digest::SHA256.new)
\xE547G\xE7\x99?\x95\xAEX\xE1\xEFS\xE9p\x87}\x93\xF8\x8A\x9Ch\x80\x95#Bee\x95\nD\x7F
System configuration
Rails version:
7.0
(gem 'rails', github: 'rails/rails', branch: 'main'
)Ruby version:
ruby 2.7.2p137
The text was updated successfully, but these errors were encountered: