This is the concern mixed in Active Record models to make them encryptable. It adds the encrypts
attribute declaration, as well as the API to encrypt and decrypt records.
- A
- C
- D
- E
- G
- L
- O
- P
- S
- V
Constants
ORIGINAL_ATTRIBUTE_PREFIX | = | "original_" |
Instance Public methods
add_length_validation_for_encrypted_columns() Link
ciphertext_for(attribute_name) Link
Returns the ciphertext for attribute_name
.
decrypt() Link
Decrypts all the encryptable attributes and saves the changes.
deterministic_encrypted_attributes() Link
Returns the list of deterministic encryptable attributes in the model class.
encrypt() Link
Encrypts all the encryptable attributes and saves the changes.
encrypt_attribute(name, attribute_scheme) Link
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 82 def encrypt_attribute(name, attribute_scheme) encrypted_attributes << name.to_sym attribute name do |cast_type| ActiveRecord::Encryption::EncryptedAttributeType.new scheme: attribute_scheme, cast_type: cast_type end preserve_original_encrypted(name) if attribute_scheme.ignore_case? ActiveRecord::Encryption.encrypted_attribute_was_declared(self, name) end
encrypted_attribute?(attribute_name) Link
Returns whether a given attribute is encrypted or not.
encrypts(*names, key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties) Link
Encrypts the name
attribute.
Options
-
:key_provider
- A key provider to provide encryption and decryption keys. Defaults toActiveRecord::Encryption.key_provider
. -
:key
- A password to derive the key from. It’s a shorthand for a:key_provider
that serves derivated keys. Both options can’t be used at the same time. -
:deterministic
- By default, encryption is not deterministic. It will use a random initialization vector for each encryption operation. This means that encrypting the same content with the same key twice will generate different ciphertexts. When set totrue
, it will generate the initialization vector based on the encrypted content. This means that the same content will generate the same ciphertexts. This enables querying encrypted text with Active Record. Deterministic encryption will use the oldest encryption scheme to encrypt new data by default. You can change this by setting +deterministic: { fixed: false }+. That will make it use the newest encryption scheme for encrypting new data. -
:downcase
- When true, it converts the encrypted content to downcase automatically. This allows to effectively ignore case when querying data. Notice that the case is lost. Use:ignore_case
if you are interested in preserving it. -
:ignore_case
- When true, it behaves like:downcase
but, it also preserves the original case in a specially designated column +original_<name>+. When reading the encrypted content, the version with the original case is served. But you can still execute queries that will ignore the case. This option can only be used when:deterministic
is true. -
:context_properties
- Additional properties that will overrideContext
settings when this attribute is encrypted and decrypted. E.g:encryptor:
,cipher:
,message_serializer:
, etc. -
:previous
- List of previous encryption schemes. When provided, they will be used in order when trying to read the attribute. Each entry of the list can contain the properties supported byencrypts
. Also, when deterministic encryption is used, they will be used to generate additional ciphertexts to check in the queries.
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 45 def encrypts(*names, key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties) self.encrypted_attributes ||= Set.new # not using :default because the instance would be shared across classes scheme = scheme_for key_provider: key_provider, key: key, deterministic: deterministic, downcase: downcase, \ ignore_case: ignore_case, previous: previous, **context_properties names.each do |name| encrypt_attribute name, scheme end end
global_previous_schemes_for(scheme) Link
load_schema!() Link
override_accessors_to_preserve_original(name, original_attribute_name) Link
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 104 def override_accessors_to_preserve_original(name, original_attribute_name) include(Module.new do define_method name do if ((value = super()) && encrypted_attribute?(name)) || !ActiveRecord::Encryption.config.support_unencrypted_data send(original_attribute_name) else value end end define_method "#{name}=" do |value| self.send "#{original_attribute_name}=", value super(value) end end) end
preserve_original_encrypted(name) Link
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 93 def preserve_original_encrypted(name) original_attribute_name = "#{ORIGINAL_ATTRIBUTE_PREFIX}#{name}".to_sym if !ActiveRecord::Encryption.config.support_unencrypted_data && !column_names.include?(original_attribute_name.to_s) raise Errors::Configuration, "To use :ignore_case for '#{name}' you must create an additional column named '#{original_attribute_name}'" end encrypts original_attribute_name override_accessors_to_preserve_original name, original_attribute_name end
scheme_for(key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties) Link
# File activerecord/lib/active_record/encryption/encryptable_record.rb, line 68 def scheme_for(key_provider: nil, key: nil, deterministic: false, downcase: false, ignore_case: false, previous: [], **context_properties) ActiveRecord::Encryption::Scheme.new(key_provider: key_provider, key: key, deterministic: deterministic, downcase: downcase, ignore_case: ignore_case, **context_properties).tap do |scheme| scheme.previous_schemes = global_previous_schemes_for(scheme) + Array.wrap(previous).collect { |scheme_config| ActiveRecord::Encryption::Scheme.new(**scheme_config) } end end
source_attribute_from_preserved_attribute(attribute_name) Link
Given a attribute name, it returns the name of the source attribute when it’s a preserved one.