-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't require encryption credentials when using a custom key provider #44540
Don't require encryption credentials when using a custom key provider #44540
Conversation
Instead of pre-validating the configuration, we now check for the required values when they're used. Co-authored-by: Alex Ghiculescu <alex@tanda.co> Co-authored-by: Jorge Manrubia <jorge.manrubia@gmail.com> Co-authored-by: John Hawthorn <john@hawthorn.email>
FYI, this change broke decryption in an existing app of mine. The cause appears to be that key derivation via Not sure what, if anything, should be done about this, but wanted to raise it now anyway. It seems like a possible bug that we were deriving keys before It’s also possible that this is my fault for causing AR to load too early, but I haven’t found where I might be doing that yet. I’m trying to reproduce in a minimal sample app and haven’t managed to do that yet, either. |
I was able to reproduce this in a new app. I generated a new app and pinned it to b6d4269 (d49f956’s parent). I set up development encryption credentials via I upgraded the app to latest Rails
If I run
|
Adding my 2 cents here. This change broke decryption in an existing Rails app of mine as well, although deterministic encryption does not seem to be affected on my end. Basically every content that was "non-deterministically" encrypted (especially encrypted rich text via ActionText) in my app before this change is no longer decrypted ; while all new content is encrypted and decrypted properly. Symmetrically, reverting this change restores decryption of encrypted content that was posted before, but breaks decryption of encrypted content that was posted afterwards. |
I just realised I've had this open and unreplied for several weeks, sorry @georgeclaghorn and @EmCousin. 😞 Thanks for the detailed report -- I agree that it seems like this change has accidentally fixed a bug, but in doing so it's introduced an incompatibility. @jorgemanrubia do you have thoughts on this? On one hand, it seems we could introduce compatibility to decrypt using SHA1-derived keys as well as |
@matthewd key providers can serve multiple keys via But I am not sure we need to support both hashes at the same time. Back in the day I created this PR #42929 to make the encryption digest algorithm configurable. That would offer a path for apps to control the used algorithm and would help with this problem, as long as apps don't have encrypted data with both digest algorithms in production of course. Until this patch, it was effectively using SHA1, so we can default to that until the next Rails release. I can prepare a PR before the week ends. I'm tentatively going with the configurable digest key path, please let me know if you think we need to support both digest algorithms at the same time (I'm not sure about Rails policy to deal with breaking changes in Great work on the patch that exposed this bug @matthewd and great report @georgeclaghorn. |
I didn't get to this last week. Aiming to get that PR ready this one. |
…tion Before, it was using the configured by Rails. Having a mechanism to configure it for Active Record encryption makes sense to prevent problems with encrypted content when the default in Rails changes. Additionally, there was a bug making AR encryption use the older SHA1 before `ActiveSupport.hash_digest_class` got initialized to SHA256. This bug was exposed by rails#44540. We will now set SHA256 as the standard for 7.1+, and SHA1 for previous versions.
…tion (#44873) Before, it was using the configured by Rails. Having a mechanism to configure it for Active Record encryption makes sense to prevent problems with encrypted content when the default in Rails changes. Additionally, there was a bug making AR encryption use the older SHA1 before `ActiveSupport.hash_digest_class` got initialized to SHA256. This bug was exposed by #44540. We will now set SHA256 as the standard for 7.1+, and SHA1 for previous versions.
Instead of pre-validating the configuration, we now check for the required values when they're used.
This is a light variation on #42958 -- I was nervous about exposing both a nil-returning accessor and a raise-on-nil
credential
method, so I've moved the raise onto the accessors themselves.Fixes #42385
Closes #42958