Rails 7 - ActiveSupport::MessageEncryptor

Question

I upgraded my app to Rails 7 (from Rails 6.1) and stuck on an issue.

I encrypt a few data fields with ActiveSupport::MessageEncryptor. I have my code to encrypt and decrypt below.

There is no issue when I create a new record. The values are encrypted. Then as I view the record the values are decrypted.

The issue is that I cannot view any records created before upgrading to Rails 7. The decrypt_and_verify method throws ActiveSupport::MessageEncryptor::InvalidMessage

Note that the ENV values KEY_GENERATOR_SECRET and KEY_GENERATOR_SALT have not changed.

I failed to test decrypting older records and thought I was good - so I've pushed to production (on Heroku). This issue is present in Development, Test, and Production. Good times.

Thanks for any help, Charlie

  # ----------------------------------------------------------------

  # encrypt a value
  def encrypt_value(obj_value)

    # create the key from a combination of
    # our secret passcode + unique salt
    key = ActiveSupport::KeyGenerator.new(ENV['KEY_GENERATOR_SECRET']).generate_key(ENV['KEY_GENERATOR_SALT'], 32)

    # encrypt the objects value
    ActiveSupport::MessageEncryptor.new(key).encrypt_and_sign(obj_value)

  end

  # ----------------------------------------------------------------

  # decrypt a value
  def decrypt_value(encrypted_value)

    # if nothing to encrypt,
    # return an empty string
    return '' if encrypted_value.nil?

    # create the key from a combination of
    # our secret passcode + unique salt
    key = ActiveSupport::KeyGenerator.new(ENV['KEY_GENERATOR_SECRET']).generate_key(ENV['KEY_GENERATOR_SALT'], 32)

    # decrypt the objects encrypted value
    ActiveSupport::MessageEncryptor.new(key).decrypt_and_verify(encrypted_value)

  end

  # ----------------------------------------------------------------

Answer 1

In my case I tried with config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA1 but it didn't work.

Instead, inside ActiveSupport::KeyGenerator.new, I use hash_digest_class: OpenSSL::Digest::SHA1:

  # ----------------------------------------------------------------

  # encrypt a value
  def encrypt_value(obj_value)

    # create the key from a combination of
    # our secret passcode + unique salt
    key = ActiveSupport::KeyGenerator.new(ENV['KEY_GENERATOR_SECRET'], hash_digest_class: OpenSSL::Digest::SHA1).generate_key(ENV['KEY_GENERATOR_SALT'], 32)

    # encrypt the objects value
    ActiveSupport::MessageEncryptor.new(key).encrypt_and_sign(obj_value)

  end

  # ----------------------------------------------------------------

  # decrypt a value
  def decrypt_value(encrypted_value)

    # if nothing to encrypt,
    # return an empty string
    return '' if encrypted_value.nil?

    # create the key from a combination of
    # our secret passcode + unique salt
    key = ActiveSupport::KeyGenerator.new(ENV['KEY_GENERATOR_SECRET'], hash_digest_class: OpenSSL::Digest::SHA1
).generate_key(ENV['KEY_GENERATOR_SALT'], 32)

    # decrypt the objects encrypted value
    ActiveSupport::MessageEncryptor.new(key).decrypt_and_verify(encrypted_value)

  end

  # ----------------------------------------------------------------

Answer 2

Rails 7 updated the default digest class for key generation in active support, from SHA1 to SHA256. As all current values are encrypted with SHA1, that's what I need to use.

The below line in application.rb fixes it.

config.active_support.key_generator_hash_digest_class = OpenSSL::Digest::SHA1

Next project is to update all encrypted values from SHA1 to SHA256.