Feature request: Encryption for Active Storage files

Active Record Encryption does a great job at helping defend Personally identifiable information (PII) and confidential data that is stored encrypted in the database against server intrusions.

However, any files “attached” via Active Storage are stored unencrypted in the file system , and thus remain open to attackers. Thus, it would be great to have these files encrypted as well, via a new Active Storage option encrypted: true , like:

class User < ApplicationRecord
  has_many_attached :financial_statements, encrypted: true
  has_many_attached :confidential_inventions, encrypted: true
  has_many_attached :sensitive_pictures, encrypted: true
end
2 Likes

This is a great idea. It should probably feature a global option to set a default (e.g: encrypt all the attachments but default).

When using a cloud storage service such as S3, there is a very easy path to protect active storage attachments with encryption: encrypting they key column in blobs. It’s not the same as encrypting stored contents, but it’s effective to prevent locating the attached contents for a given attachment and blobs. This works on top of the at-rest encryption you should have enabled in the service, of course.

We do this in HEY to encrypt both the key and the filename in blobs:

ActiveSupport.on_load :active_storage_blob do
  encrypts :key, deterministic: true
  encrypts :filename
end

Notice that you should increase the the size of the encrypted columns to accommodate the encryption overload as explained in the encryption guide. We set 510 for 255 string columns.

I’d love to add support for this to Rails too.

1 Like