TechQA.

attr_encrypted and devise, Encrypt user data with users password

1.6k views Asked by At

I'm using the attr_encrypted gem and I got also devise installed in my environment.

I got a user model this is handled by devise and the database column is: encrypted_password

Users can save clients and I want to encrypt the clients name and age with the users password.

my client.rb file looks like this: Here the data gets encrypted successfully.

class Client < ActiveRecord::Base

  attr_accessor :name :age 
  attr_encrypted :name, :age, key: "test1234"

But I'd like to encrypt the data with the Users.password. Something like so:

class Client < ActiveRecord::Base

  attr_accessor :name :age 
  attr_encrypted :name, :age, key: current_user.encrypted_password

The current_user is the Devise helper method but since this is from a session I can't access it in a model. Basically I'd like to encrypt all the clients stuff with users password. But If I do that with the encrypted_password then I already got the password to decrypt the whole field. I want to provide security to my users and I don't want to know or be able to view their data. So the only way to do this is by encrypting all the data with the prehashed devise users password?

edit:

The user.encrypted_password is already hashed and whenever I access the db - I can use this to decrypt all the data right?

So I should request the users password -> hash it like devise does - compare it with the users.encrypted_password?

Do I have a logic error somewhere ?

How would you solve this?

ruby-on-rails activerecord devise attr-encrypted
Original Q&A
2

There are 2 answers

1
marvs On

attr_encrypted provides a way to specify an instance method to provide the key.

class Client < ActiveRecord::Base
  attr_encrypted :name, :age, key: :client_key

  def client_key
    # just assuming relation between Client and User
    self.user.encrypted_password
  end
end

Source: https://github.com/attr-encrypted/attr_encrypted#symbols-representing-instance-methods-as-keys

2
SRDP On

As you using Devise it uses bcrypt algorithm to encrypt your password which is one way encryption

ie this process is not reversible, there's no way to go from the hash back to the password. so you can use that hash for encrypting the whole data.

But my suggestion would be you use bcrypt algorithm for encrypting your data rather than using user password,reason why i am suggesting bcrypt rather than using your password a hash to encrypt your data

  • You will have re-encrypt you data each and every time when the user changes his password If you fail to do so in any occasion you wont be able to retrive you data back.
  • The overhead will more ie each time re-encrypting the data on password change
  • The encrypted_password will be very tightly coupled with the user data. I feel that the user data should be independent of password related to access and there should be a different independent encrypting for use data which is not related to user login or password

You can also ref : https://github.com/codahale/bcrypt-ruby

Related Questions in RUBY-ON-RAILS

Related Questions in ACTIVERECORD

Related Questions in DEVISE

Related Questions in ATTR-ENCRYPTED

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions