Field level encryption

[butterz21217]

First of all, love this gem. We use it all the time in our projects, makes working with DynamoDB much easier.

In recent times, we've had more and more uses for encrypting PII that we need to store in our databases. So far the cleanest solution I've managed to come up with looks a little like this:

module EncryptedField
  def self.included(base)
    base.extend(ClassMethods)
    base.around_save :field_encryption
    base.after_find :decrypt_fields
  end

  module ClassMethods
    def encrypted_field (name, options = {})
      field :"#{name}_cipher_text", :raw, options.merge(alias: name, encrypted: true)
    end

    def encrypted_attributes
      attributes.select { |_,v| v[:encrypted] }
    end
  end

  def field_encryption
    encrypt_fields
    yield
    decrypt_fields
  end

  def encrypt_fields
    # Logic that takes self.class.encrypted_attributes and applies an encryption method
  end

  def decrypt_fields
    # Logic that takes self.class.encrypted_attributes and applies a decryption method
  end
end

class MyModel
  include Dynamoid::Document
  include EncryptedField

  table name: :example_table
  field :email, :string
  encrypted_field :super_secret
end

class SomeHandler
  def create_new_model
    new_thing = MyModel.create({ email: '[email protected]', super_secret: 'plaintext' })
    # before the model saves, super_secret is encrypted so that the data is not in plaintext in the table
    # then decrypted after save for use in the application
    p new_thing.super_secret # => 'plaintext'
  end
end

As you can see, what's happening here is that I'm taking advantage of the alias property so that consumers of the model need only think about interacting with super_secret, but in the DB the encrypted attribute is stored against super_secret_cipher_text (this probably isn't necessary, but reminds me when I look in the DB that I'm seeing encrypted data).

This is all fine as long as other developers don't use methods on the model that skips the callbacks (e.g. upsert), otherwise data could end up being stored in plain text.

What I'd love to see in Dynamoid is an option where you can specify a field to be encrypted, and the dynamoid config takes an encryption method and decryption method. e.g.

Dynamoid.configure do |config|
  config.encyption_method :my_enc_method # => reference to method that takes a single param and returns a value
  config.decryption_method :my_dec_method # => reference to the method that takes a single param and returns a value
  # alternatively, it could be a reference to an encryption class that has an encrypt and decrypt method
  config.encryption_class MyEncryption
end

class MyEncryption
  def encrypt(plain_text)
    encrypted_text = some_encryption_method(plain_text)
    return encrypted_text # Yes, the return and variable assignment are not necessary, but demonstrate the intent
  end

  def decrypt(encrypted_text)
    plain_text = some_decryption_method(encrypted_text)
    return plain_text # again, demonstrative
  end
end

class MyModel
  include Dynamoid::Document

  table name: :example_table
  field :email, :string
  field :super_secret, :map, encrypted: true
end

Would love some feedback on how others are handling encrypted data with Dynamoid, and if something like this is going to be considered a feature in the future.

[andrykonchin]

Hello. Yes, it's seems a good feature to add into Dynamoid. It can have API similar to Rails' (see https://guides.rubyonrails.org/active_record_encryption.html).

By the way doesn't a custom type/adapter solve the issue with callbacks and persisting methods that don't run them?