Reputation: 2302
attr_encrypted and devise, Encrypt user data with users password
I'm using the attr_encrypted gem and I got also devise installed in my environment.
I got a user model this is handled by devise and the database column is: encrypted_password
Users can save clients and I want to encrypt the clients name and age with the users password.
my client.rb file looks like this: Here the data gets encrypted successfully.
class Client < ActiveRecord::Base
attr_accessor :name :age
attr_encrypted :name, :age, key: "test1234"
But I'd like to encrypt the data with the Users.password. Something like so:
class Client < ActiveRecord::Base
attr_accessor :name :age
attr_encrypted :name, :age, key: current_user.encrypted_password
The current_user is the Devise helper method but since this is from a session I can't access it in a model. Basically I'd like to encrypt all the clients stuff with users password. But If I do that with the encrypted_password then I already got the password to decrypt the whole field. I want to provide security to my users and I don't want to know or be able to view their data. So the only way to do this is by encrypting all the data with the prehashed devise users password?
edit:
The user.encrypted_password is already hashed and whenever I access the db - I can use this to decrypt all the data right?
So I should request the users password -> hash it like devise does - compare it with the users.encrypted_password?
Do I have a logic error somewhere ?
How would you solve this?
Upvotes: 1
Views: 1702
Answers (2)
Reputation: 423
As you using Devise it uses bcrypt algorithm to encrypt your password which is one way encryption
ie this process is not reversible, there's no way to go from the hash back to the password. so you can use that hash for encrypting the whole data.
But my suggestion would be you use bcrypt algorithm for encrypting your data rather than using user password,reason why i am suggesting bcrypt rather than using your password a hash to encrypt your data
- You will have re-encrypt you data each and every time when the user changes his password If you fail to do so in any occasion you wont be able to retrive you data back.
- The overhead will more ie each time re-encrypting the data on password change
- The encrypted_password will be very tightly coupled with the user data. I feel that the user data should be independent of password related to access and there should be a different independent encrypting for use data which is not related to user login or password
You can also ref : https://github.com/codahale/bcrypt-ruby
Upvotes: 0
Reputation: 1
attr_encrypted provides a way to specify an instance method to provide the key.
class Client < ActiveRecord::Base
attr_encrypted :name, :age, key: :client_key
def client_key
# just assuming relation between Client and User
self.user.encrypted_password
end
end
Source: https://github.com/attr-encrypted/attr_encrypted#symbols-representing-instance-methods-as-keys
Upvotes: 0
Related Questions
- Devise: manually encrypt password and store directly
- Rails: Devise gem password encryption
- Rails 5 : Devise Gem password Encryption
- Login using encrypted_password with devise_token_auth
- devise :password and :encrypted_password
- Password encryption in Rails
- Does Devise encrypt all user model attributes or only passwords?
- Use attr_encrypted with key supplied by the customer (Not stored in the database)
- Rails > Devise password encryption
- RoR using Devise - Encrypted Password