I found ways to configure symmetric encryption for the database user but no way to configure keys or something similar to encrypt the data sent to the database.
Is there any database supported by Ruby in Rails that allows specifying such encryption ? MariaDB / MySql is preferred.
With the help of tadman I found an adaptor which is able to set several SSL related parameters like sslkey but I still don't know how this works with database.yml: http://api.rubyonrails.org/v4.2.6/classes/ActiveRecord/ConnectionAdapters/MysqlAdapter.html
Related
It looks like it contains a bunch of hashes but i cant seem to figure out what its for.
Would there be any harm in it being lost ?
Does it contain sensitive information ?
This is the dockerd key for TLS connections, in web format, that docker uses when connecting to other TLS servers like registries. It's automatically generated by the docker engine on startup, so there's no risk if deleted. You should treat it as sensitive since TLS connections using an exposed key are not secure.
More details are available here: https://github.com/moby/moby/issues/7667
My graphebedb_url is gotten from heroku to access my neo4j database online. It is correct but when I initiate db connection. It returns error 403.which is forbidden request.
I'm founder & CEO of GrapheneDB. philippkueng/node-neo4j supports authentication via URL.
According to the project's readme, the snippet should look like this. I've adjusted it to load the connection URI from the env variable:
var neo4j = require('node-neo4j');
db = new neo4j(process.env['GRAPHENEDB_URL']);
Attention: The latests release of the driver is 9 months old, so it might not be compatible with the latests versions of Neo4j. This is not related to your authentication issue though.
For an up-to-date nodejs driver I'd recommend thingdom/node-neo4j
Can you describe what you've tried?
Perhaps you need the username and password? Your driver might not support the username and password as part of the URL. You might need to specify it separately (keep in mind there are two node-neo4j drivers when looking at documentation)
Also, ideally you should be using the Heroku environment variable rather than hardcoding the URL.
Encrypting data
Having just finished adding attr_encrypted to some models, I've come to think that a hackers job might not be that hard.
I've got a database on a different server to the app servers - however, chances are that if someone managed to get on to the db server, that person could also access the app server where the keys are stored (perhaps that assumption is incorrect) as they have the same type of security measures.
Issue
Rails code is stored in a readable text format on the server, therefore the secret keys can be accessed. Surely if someone did get a hold of the database, and a hold of those keys the entire encryption of data becomes irrelevant as it simply (slightly) prolongs the hackers time to decrypt information.
If so, are there further security measure that can be taken, or have I completely missed the concept of encryption?
I've had a look around the attr_encrypted gem and associated readme and questions but could not find anything useful.
attr_encrypted protects your data from simple data leaks. Think NSA sniffing an inter-DC cable (where your db replication logs will be sent over) or disgruntled DBA (not having access to app source) dumping all your data into the internets.
If it is actual breach, intruders might not get access to both app code and database (depends on your architecture and security measures). If they have both, then yes, it's game over.
All in all, it's better to have it [for sensitive data] than not to have. Doesn't hurt, I'd say.
Don't put the keys in the app server and don't check them in to the git repository.
Instead, use environment variables. You can have different approaches for dev and production.
Very easy to do on Heroku (for example).
I have an encryption concern:
# app/models/concerns/encryption.rb
module Encryption
extend ActiveSupport::Concern
module ClassMethods
def encryption_key
ENV['ENCRYPT_KEY']
end
end
end
In the model, I do this
class User < ActiveRecord::Base
include Encryption
attr_encrypted :name, :key => encryption_key
end
In development, I use a .env file to store keys and retrieve with foreman.
I run a live RoR (Rails 3.21.11) application on Heroku that contains some sensitive (personally-identifiable) information that we'd like to cache out (~80kb of JSON on a per-user basis).
Since we run on Heroku, we obviously trust Heroku with this data.
However, to use memcached, we need to use a Heroku addon, such as Memcachier.
The business problem: we are not willing to put this sensitive information on a third-party provider's infrastructure unless it is symmetrically encrypted on the way out.
Of course, I can do this:
value = encrypt_this(sensitive_value)
Rails.cache.write('key', value)
But we envisiage a future in which ActiveRecord objects, as well as good ol' JSON, will be stored -- so we need every bit of data going out to be automatically encrypted, and we don't want to have to write an encryption line into every bit of code that might want to use the cache.
Are there any gems/projects/tools to do this?
Although I haven't had a chance to use this yet the attr_encrypted library might get you some or all of the way there.
I'm building a rails app that communicates with other servers via ftp. The user needs to input their host, username and password for their particular ftp server. I wouldn't want to store their password as cleartext, but I need the actual password to connect to the server when it comes time. Would it make sense to use a two-way hash?
I found a few implementations that might do the job:
http://crypt.rubyforge.org/blowfish.html
http://crypt.rubyforge.org/rijndael.html
http://ezcrypto.rubyforge.org/
Thanks,
Trevor
Since password is eventually passed to the FTP server as cleartext, any db encryption is a bonus.
I ended up using attr_encrypted which worked great.