Reputation: 18157
Encrypt, decrypt using Rails
I saw a while ago the possibility to decrypt and encrypt strings in rails without including any library, but I can't find the blog post.
I want to be able to encrypt and decrypt strings without including anything. Using the same key has for the everything else in rails, signed cookies for example.
Any ideas?
Upvotes: 58
Views: 42654
Answers (3)
Reputation: 26547
Rails 5 update:
crypt = ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base[0..31])
encrypted_data = crypt.encrypt_and_sign('my confidental data')
Rails 5.x Needs a key of exactly 32 bytes.
To verify a previously signed message with a longer key:
crypt = ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base[0..31], Rails.application.secrets.secret_key_base)
encrypted_data = crypt.encrypt_and_sign('my confidental data')
as described in the documentation and the discussion on this change
Upvotes: 9
Reputation: 17145
You mean this one?: ActiveSupport::MessageEncryptor. Here is the way to reuse Rails 5+ on Ruby 2.4+ application's secret:
crypt = ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base[0..31])
encrypted_data = crypt.encrypt_and_sign('my confidental data')
And encrypted data can be decrypted with:
decrypted_back = crypt.decrypt_and_verify(encrypted_data)
The above example uses first 32 characters of Rails app secret as an encryption and signing key, because the default MessageEncryptor cipher aes-256-gcm requires exactly 256 bit key. By convention, during the app creation, Rails generates a secret as a string of 128 hex digits.
Important! Ruby 2.4 upgrade note
Before Ruby 2.4 and Rails 5 there was no key size restriction and it was popular to just past full secret into the encryptor initializer:
# pre-2.4
crypt = ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base)
Internally the encryption algorithm (AES256GCM provided by OpenSSL) was using only 32 characters from the key, however the signing algorithm (SHA1) was consuming all 128 characters.
Therefore, while upgrading an app from pre-2.4 Ruby, and where the app previously encrypted the data with an unrestricted key size, the MessageEncryptor must get a full secret in the second parameter to avoid ActiveSupport::MessageVerifier::InvalidSignature on the legacy data decryption:
# post-2.4 upgrade
crypt = ActiveSupport::MessageEncryptor.new(Rails.application.secrets.secret_key_base[0..31], Rails.application.secrets.secret_key_base)
Upvotes: 144
Reputation: 1049
Rails 5 requires that the key be 32 bytes.
Edit to Rails 4 answer that works for Rails 5:
key = SecureRandom.random_bytes(32)
crypt = ActiveSupport::MessageEncryptor.new(key)
encrypted_data = crypt.encrypt_and_sign('my confidental data')
Decrypt:
decrypted_back = crypt.decrypt_and_verify(encrypted_data)
Upvotes: 19
Related Questions
- How do I decrypt in rails?
- encryption and decryption algorithm in Rails
- Encrypting in Rails and decrypting in Salesforce
- rails encryption/decryption
- ruby - how to encrypt text
- Easiest and fastest way to encrypt/decrypt in Rails?
- Ruby on Rails Decryption
- Encryption-Decryption in Rails
- Rails decrypt attr_encryptable
- Encrypt/Decrypt String