We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
RailsConf 2023 - ActiveRecord::Encryption; Stop Hackers from... by Matthew Langlois, Kylie Stradley
Learn how to seamlessly roll out active record encryption using feature flags, master keys, and custom key providers, and discover the importance of simplicity, ease of use, and performance impact in determining your encryption strategy.
- Using feature flags to roll out active record encryption seamlessly
- Energy efficiency measurements are not the only consideration in determining the encryption strategy
- Master keys and custom key providers are used to handle different encryption schemes
- Active record encryption stores keys in the database as JSON, with a hash of the original key and a derived key
- Key rotation involves re-encrypting existing records using the new key, and storing the old key securely
- Partners have the opportunity to use a custom key provider for their encryption keys
- If there is a key compromise, a new encryption key can be appended to the existing key, allowing for backwards compatibility
- Encryption schemes should be evaluated based on their performance impact and risk tolerance
- Support for deterministic encryption is important for auditing and transparency
- Master keys are used to derive other keys for encryption and decryption
- Hardware random number generators may be used for randomness
- Encryption limits the ability of hackers to steal data
- As a product security team, simplicity and ease of use are important considerations in determining the encryption strategy
- Github’s active record encryption has been used to encrypt a variety of data types, including API keys and tokens
- Data can be encrypted when it is written to the database, or after it has been written
- Methods for encrypting and decrypting data do not have to be next to each other in the code
- It is more secure to derive keys than to use a fixed or hardcoded key
- A salt is used to make it more difficult for hackers to crack the encryption
- Key generation and storage are critical components of an encryption strategy
- Construction of custom key providers may be necessary to handle specific use cases
- Active record encryption can be used to encrypt data in a variety of languages
- Encryption can be used to prevent data breaches, but is not a foolproof solution