Kylie Stradley - Everything we learned while Implementing ActiveRecord::Encryption - Rails World

Security

Learn best practices for implementing encryption in Rails with Active Record Encryption, including key management, nonce reuse, and performance considerations, to ensure the security and resilience of your applications.

Key takeaways

It’s not recommended to build your own column encryption strategy without the support of Active Record Encryption, as it can lead to complexity and vulnerabilities.
Key management is the hardest part of encryption, and it’s crucial to consider key rotation and management in your initial design.
Active Record Encryption uses a JSON object to store its data, which includes headers and encryption keys.
Encrypting two things with the same nonce is fatal to the confidentiality of the data.
Idempotent encryption methods can help prevent side effects and ensure that data is always valid.
Deterministic encryption should be avoided, as it can compromise the security of the data.
Building with key rotation and key management in mind can help prevent common issues and ensure resilience.
Encrypting data doesn’t guarantee security, and auditing and monitoring are crucial to detect potential issues.
Centralized key management can help simplify key rotation and ensure consistency.
It’s essential to consider the potential impact of encryption on performance, latency, and scalability.
Encrypting large amounts of data can lead to nonce reuse and compromise the security of the data.
It’s crucial to monitor and audit data to detect potential issues and ensure the security of the data.
Building with Active Record Encryption can simplify the process of migrating to encrypted columns.
Implementing encryption without considering key rotation can lead to complexity and vulnerabilities.
Decentralized key management can make key rotation more challenging and prone to errors.

Kylie Stradley - Everything we learned while Implementing ActiveRecord::Encryption - Rails World

More talks