In our app, users give us sensitive information (credentials for logging into a third party site). At some point, we need those credentials in cleartext in order to access the third party site, but while they're in our database, we want to make best effort for protecting them.
What techniques have people used for this? I find myself asking "WWMD (What Would Mint.com Do?) -- any suggestions?
- ff
You might find the ezcrypto gem helpful.
HTH, Bill
I've used Strongbox (https://github.com/spikex/strongbox) to protect sensitive data before, but that was for an application where the private key password wasn't stored on the server at all (requests for the data were user-initiated and prompted for the password). Your case sounds like it might be considerably more automated, which substantially weakens the protection of 99% of systems - if you're storing the keys with the data, then an attack which gets one will likely get the other.
--Matt Jones