Rails plugin to encrypt/decrypt columns of ActiveRecord models with GPGME
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


== ActsAsEncryptedWithGpgme

acts_as_encrypted_with_gpgme is a rails plugin which does
encryption/decryption with the GPGME (GnuPG Made Easy) library.

The main advantage of this plugin is that it stores encrypted data in
the standard OpenPGP format, while similar plugins use custom data
format.  Using the standard format allows you to easily migrate from
some crypto algorithm to the other algorithms.

== Usage

acts_as_encrypted_with_gpgme is capable of encrypting data with either
a public-key cipher or a symmetric cipher.

=== Using a public-key cipher

To use public-key cipher algorithm, you need a key pair for
encryption; the keys are loaded from

To generate a new key pair, do:

 $ mkdir config/gpgme
 $ gpg --homedir config/gpgme --gen-key
 ...follow the instruction prompted by gpg...

Now you have a key pair.  You might want to control detail behavior of
encryption through <tt>RAILS_ROOT/config/gpgme/gpg.conf</tt>.  For
example, to specify a cipher algorithm being used internally, add the
following line to the file:

 cipher-algo TWOFISH

For other options, see <tt>man gpg</tt>.

Now let's go ahead to create an ActiveRecord model.

 $ ./script/generate model account name:string credit_card_number:string
 $ rake db:migrate

Create app/models/account.rb containing the following:

 class Account < ActiveRecord::Base
   acts_as_encrypted_with_gpgme :fields => {
     :credit_card_number => {
       :recipients => ['AC5C76C1'] # key ID for the key generated above

The above code means that the column named <i>credit_card_number</i>
be encrypted to a public-key identified by 'AC5C76C1'.  Note that at
this point the example only does *not* provide decryption---in other
words, the column <i>credit_card_number</i> is regarded as write-only
within your Rails application.

To make the column be decrypted after the data is retrieved from the
database, specify decryption key with the <tt>:key</tt> option:

 class Account < ActiveRecord::Base
   acts_as_encrypted_with_gpgme :fields => {
     :credit_card_number => {
       :recipients => ['AC5C76C1'] # key ID for the key generated above
       :key => 'AC5C76C1'

and provide the passphrase to unlock the key; add the following to

 ActsAsEncryptedWithGpgme.set_passphrase('AC5C76C1', 'your passphrase')

=== Using a symmetric cipher

Symmetric encryption can be used in the same way as public-key
encryption described in the previous section, except that you don't
need to prepare keys.  Let's start from creating models:

 $ ./script/generate model post title:string body:text
 $ rake db:migrate

Create app/models/post.rb containing the following:

 class Post < ActiveRecord::Base
   acts_as_encrypted_with_gpgme :fields => [:body]

To tell the passphrase, add the following to

 ActsAsEncryptedWithGpgme.set_passphrase('Post#body', 'your passphrase')

By default, the key for the passphrase is automatically constructed
from the class and the column name to be encrypted.

== Security consideration

It is generally not a good idea to hold a secret in memory for a long
time.  If you really want to support on-the-fly decryption, you should
probably consider hosting your Rails application on a trusted machine
isolated from the database server.

Copyright (c) 2009 Daiki Ueno, released under the MIT license