Validating with Encryption

I am encrypting data mainly email addresses. I would like to use the validations built into rails however I am not sure how to do that given that the actual data stored in the database is an encrypted version. i would like to run the validation on the decrypted version of the data.

Thanks.

tashfeen.ekram wrote:

I am encrypting data mainly email addresses. I would like to use the validations built into rails however I am not sure how to do that given that the actual data stored in the database is an encrypted version. i would like to run the validation on the decrypted version of the data.

Okay, so perform your encryption after validation not before.

http://railsapi.com/doc/rails-v2.3.5/classes/ActiveRecord/Callbacks.html#M001182

hmmm.... ok. i was using strongbox gem. what you recommends seems like it would work if i wrote my own encryption. i think the encryption in the gem is carried out prior to validation. is there another way in which i can still use strongbox?

Is there a way to use validation however you can pass a function (or a string) to validate on and not the actual value stored in the db?

tashfeen.ekram wrote:

Is there a way to use validation however you can pass a function (or a string) to validate on and not the actual value stored in the db?

What would be the point of that? If you don't want to validate your actual data, then don't.

Best,

tashfeen.ekram wrote:

hmmm.... ok. i was using strongbox gem. what you recommends seems like it would work if i wrote my own encryption. i think the encryption in the gem is carried out prior to validation. is there another way in which i can still use strongbox?

I've not looked at the strongbox gem, but if that's the case I would avoid using that gem. If you're going to have a gem do your encrypting/decrypting it should be transparent to the application layer IMHO. This would mean hooking itself in right above the database adaptor layer so that all the higher level ActiveRecord/ActiveModel stuff just works as normal.

Maybe you should find a better gem, or roll your own. Encryption isn't exactly rocket science to implement these days (maybe their implementations are akin to rocket science, but modern abstractions aren't).

hmmm. what you mention does make sense. perhaps i will roll my own.

however, i would like to completely understand. so, ideally the encryption should work such that all of the active record attributes work as expected. when retrieving an attribute you would get the expected object.

i dont have any experience to do such a thing. any references of of other gems doing anything remotely similar to this?

tashfeen.ekram wrote:

hmmm. what you mention does make sense. perhaps i will roll my own.

however, i would like to completely understand. so, ideally the encryption should work such that all of the active record attributes work as expected. when retrieving an attribute you would get the expected object.

i dont have any experience to do such a thing. any references of of other gems doing anything remotely similar to this?

I don't know of any specific gems. I was just thinking conceptually as follows:

1. User enters, obviously, clear text into a form field. 2. User submits form over SSL to ensure encrypted transmission. 3. Rails stack processes data into the params hash. 4. Controller sends "save" message to ActiveRecord instance. 5. ActiveRecord/ActiveModel callback chain (e.g. before_validation, after_validation, before_save, after_save, etc.) all occur as normal. 6. Either inside or after validation, but before save, encryption occurs.

One possibility would be for a gem to add a couple of new callback hooks to the chain. Maybe something like before_encryption and after_encryption. But, that's probably not even necessary in this case.

If I were to implement something like this I would probably call my encryption routine from within after_validation. This should occur before the data actually gets saved to the database. If some problems occur during encryption then after_validation should return false having the effect of canceling the save. At that point "save" should also return false and you're controller should handle that in the normal way.

You would also need some way to decrypt the data after a "find" operation. I don't think that Rails has any built-in hooks for this, but I could be wrong about that. I used to use a ORM called Enterprise Objects (EOF) that supported such a mechanism though use of the delegate pattern. There was a delegate method "awakeFromFetch()" that EOEnterpriseObject subclasses could override to perform initialization after fetch. This provided a nice place to "hook in" to perform these kinds of things. But, I can't think of any such convenience in Rails, but that's not a "show-stopper."

P.S. Out of curiosity I looked at the stongbox gem. From a quick glance I don't think it would be something that would interest me. It uses public key technology, which I just don't see the benefit of using given it huge trade-off in performance. I really think a symmetric key system would make a lot more sense for most cases. I could certainly be missing some important point, however.