I have a model that has inside of it a few bits of data I would like to encrypt. I''m using ezcrypto to do the encrypting, but was wondering what your opinions are for what is the best way or place to store the encryption key? thx! Dave -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Jul 19, 2007, at 21:40 , Dave Coleman wrote:> I''m using ezcrypto to do the encrypting, but was wondering > what your opinions are for what is the best way or place > to store the encryption key?I think if anyplace, in your configuration file. I don''t think you''d want to hard-wire something like that to a model. I understand you need to store this somewhere, but I must admit storing it anywhere makes me feel a bit uneasy from a security standpoint. Doesn''t your encryption library include guidelines for this? Michael Glaesemann grzm seespotcode net --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> Doesn''t your encryption library include guidelines for this?http://ezcrypto.rubyforge.org/ The read me doc says: "The raw method could be used for storing in a database using a tinyblob column." (the raw key) - Which is what I''m doing currently, having a uniquely generated key per db entry. Seems ok to me, just looking for other opinions. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Dave Coleman wrote:> I have a model that has inside of it > a few bits of data I would like to encrypt. > > I''m using ezcrypto to do the encrypting, but was wondering > what your opinions are for what is the best way or place > to store the encryption key? > > > thx! > > Dave >There are couple of points to think about: a) Your trust fabric & functionality The question is whom do you trust & why. If the security model is that the clients trust the server and the function of encryption is to secure the channel, you can keep the keys in a file and secure it with a password which will be hard-coded in the code running in the server and client side. Anybody who has access to the server can walk away with the file and then can decrypt the pieces of data. So you are trusting the physical security of the server, which is OK. b) Nature of keys and Key exchange mechanism If you are using symmetric keys, you need to have a way of distributing the actual key to both the server and the client. Remember, time will come when you have many clients and servers and the key would need to change. So plan for a good and simple mechanism - manual is fine, so long as it is well documented ;o) OTOH, if you are using certificates, then you need to distribute the public key of the server to the clients plus keep the password protected private key in the server. In this case, if you are load balancing between servers et al, you need to take care of (and document) that aspect as well. In short, without knowing more about your application, it is better to use a public-private key paradigm, keep a password protected private key in the server and distribute the public keys as certs to the clients. A certs directory is the best place to keep these artifacts. Cheers & hope it helps <k/> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On 7/19/07, Dave Coleman <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > > Doesn''t your encryption library include guidelines for this? > > http://ezcrypto.rubyforge.org/ > > The read me doc says: > "The raw method could be used for storing in > a database using a tinyblob column." > > (the raw key) - Which is what I''m doing currently, having a uniquely > generated key per db entry. Seems ok to me, just looking for other > opinions.If the key is stored in the same database as the encrypted data, there isn''t any point in encrypting it in the first place. And no don''t use a blob, base64 encode it and put it in a text/varchar column. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---