Encrypted Rails fields failing to decrypt after upgrading to latest ref

[nickhammond]

Steps to reproduce

I have a Rails application running @ 60f2744 along with an encrypted field:

class User
  encrypts :phone
end

Referencing the field works fine with that ref:

$ User.last.phone
=> 8675309

I'm attempting to bump the ref to 9553814 but after I do, the same User.last.phone call starts raising a decryption error and ultimately a cipher error. The configuration is the same, I'm not rotating keys or anything, I've tested it down to only changing the rails ref and that's triggering the failure.

The only commit(d04dbcf) I'm seeing that's related to that file just removes a require to base64.

Is there anything else that needs to change or be updated when upgrading?

OpenSSL::Cipher::CipherError: null
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb:75:in `final'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb:75:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:42:in `block in try_to_decrypt_with_each'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:41:in `each'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:41:in `with_index'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:41:in `try_to_decrypt_with_each'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:26:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encryptor.rb:56:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:80:in `block in decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/scheme.rb:64:in `with_context'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:15:in `with_context'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:73:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:32:in `deserialize'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_set/builder.rb:52:in `block in fetch_value'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_set/builder.rb:46:in `fetch'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_set/builder.rb:46:in `fetch_value'
  from rails (9553814a3a2a) activerecord/lib/active_record/attribute_methods/read.rb:38:in `_read_attribute'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_methods.rb:277:in `phone'
...
ActiveRecord::Encryption::Errors::Decryption: ActiveRecord::Encryption::Errors::Decryption
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb:79:in `rescue in decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher/aes256_gcm.rb:55:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:42:in `block in try_to_decrypt_with_each'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:41:in `each'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:41:in `with_index'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:41:in `try_to_decrypt_with_each'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/cipher.rb:26:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encryptor.rb:56:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:80:in `block in decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/scheme.rb:64:in `with_context'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:15:in `with_context'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:73:in `decrypt'
  from rails (9553814a3a2a) activerecord/lib/active_record/encryption/encrypted_attribute_type.rb:32:in `deserialize'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_set/builder.rb:52:in `block in fetch_value'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_set/builder.rb:46:in `fetch'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_set/builder.rb:46:in `fetch_value'
  from rails (9553814a3a2a) activerecord/lib/active_record/attribute_methods/read.rb:38:in `_read_attribute'
  from rails (9553814a3a2a) activemodel/lib/active_model/attribute_methods.rb:277:in `username'

System configuration

Rails version: 9553814

Ruby version: ruby-2.7.2

[rafaelfranca]

Can you run a git bisect to try to find which commit change the behavior?

[georgeclaghorn]

Related:

• Don't require encryption credentials when using a custom key provider #44540 (comment)
• Add option to configure digest algorithm in Active Record Encryption #44873

[nickhammond]

Thanks @georgeclaghorn, that new PR resolves the issue with no configuration change therefore keeping it on SHA1.

gem 'rails', github: 'basecamp/rails', ref: 'configure-digest-class-in-are'