I had the idea that it would be nice if AR encryption stored the hash_digest_class for encrypted attributes along with the other encryption headers it already has. Does this make sense and seem worthwhile?
This would make it possible for a rails application to switch from SHA1 to SHA256 without needing to do any kind of expensive migration steps and it might make everyone’s life easier down the road when Rails wants to change the default hash_digest_class from SHA256 to something else.
Something like this?
{
p: "po3u77pr5+NOehAcH3oTMB7Qby+kJ9oY",
h: {
iv: "zMXIuaQUewNLc4CX",
at: "I5K1muiZXTxYg11QUy6U5A==",
e: "QVNDSUktOEJJVA==",
d: "SHA256"
}
}
What led me to think about this was that I ran into Upgrade to Rails 7.1 alpha breaks ActiveRecord attribute encryption (deterministic) · Issue #48204 · rails/rails · GitHub when upgrading from rails 7.0 to 7.1.