Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to Encrypt/Decrypt Sensitive Data in Elixir? #80

Closed
2 tasks done
nelsonic opened this issue Jan 22, 2018 · 4 comments
Closed
2 tasks done

How to Encrypt/Decrypt Sensitive Data in Elixir? #80

nelsonic opened this issue Jan 22, 2018 · 4 comments
Assignees
@nelsonic
Labels
enhancement New feature or enhancement of existing functionality priority-2 Second highest priority, should be worked on as soon as the Priority-1 issues are finished question A question needs to be answered before progress can be made on this issue T1d Time Estimate 1 Day
Projects
Nelson's List

Comments

@nelsonic
Copy link
Member

nelsonic commented Jan 22, 2018
edited
Loading

Scenario

We want to encrypt (personal) data before storing it in PostgreSQL.
So that if for any reason the DB is ever "compromised" through SQL injection or other "attack",
the data is strongly encrypted and thus the "leak" is (somewhat) "mitigated".
read: https://security.stackexchange.com/questions/56278/field-level-encryption-vs-disk-encryption-for-pci-compliance

The starting point is to read the Erlang crypto docs: http://erlang.org/doc/man/crypto.html
It has lots of detail but few practical examples ...

Requirement

  • Use Symmetric Key Encryption
  • Determine additional CPU/Memory load impact from encrypting individual fields vs. entire record.

We read: https://github.com/rubencaro/cipher which is "overkill" for what we need.

Example code:

# encryption key
key = :crypto.hash(:sha256, "get key from aws parameter store") |> Base.encode16
# initialisation vector
iv = "clave2 con chicha" |> String.slice(0,16)
# data
data = "Hello World!"
IO.puts "data (before encryption): " <> data
# encrypt:
encrypted = :crypto.aes_cbc_128_encrypt  key, iv, data
IO.puts "encrypted: " <> encrypted

Looked at: https://github.com/danielberkompas/cloak
@nelsonic nelsonic added enhancement New feature or enhancement of existing functionality question A question needs to be answered before progress can be made on this issue labels Jan 22, 2018
@nelsonic nelsonic changed the title How to Encrypt/Decrypt Data/Strings in Elixir? How to Asymmetrically Encrypt/Decrypt Sensitive Data in Elixir? Jan 23, 2018
@nelsonic nelsonic changed the title How to Asymmetrically Encrypt/Decrypt Sensitive Data in Elixir? How to Encrypt/Decrypt Sensitive Data in Elixir? Jan 23, 2018
@nelsonic nelsonic added this to In progress in Nelson's List Feb 26, 2018
@nelsonic nelsonic self-assigned this Feb 26, 2018
@nelsonic
Copy link
Member Author

I'm working on this: https://github.com/nelsonic/phoenix-ecto-encryption-example
as a general example with a practical recommendation.
It's not a P1 because it's not "costing us money" or "causing us losses"
(so if there is anything "more urgent" I need to focus on, please just assign it to me!)
But this is relevant to all our projects/clients because encryption "at rest" for all data
is essential for data protection ...

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
image
lol!
anyway ... preparing-for-the-gdpr-12-steps.pdf

@nelsonic nelsonic added T1d Time Estimate 1 Day priority-2 Second highest priority, should be worked on as soon as the Priority-1 issues are finished labels Feb 26, 2018
@nelsonic
Copy link
Member Author

This is a good (quick) read on the subject of Encryption and GDPR:
https://www.linkedin.com/pulse/gdpr-encryption-mandatory-gary-hibberd
image

Conclusion: it's NOT a "requirement".
It's an <option> that data processors can/should consider.
But given that no real detail is given in the GDPR doc, we don't have much to go on.

So we are proactively implementing encryption at rest for all personal data. 🔐

@nelsonic nelsonic moved this from In progress to Done in Nelson's List May 18, 2018
@nelsonic
Copy link
Member Author

The example/tutorial is ready for "early review":
https://github.com/dwyl/phoenix-ecto-encryption-example
@Cleop if you have time to give some feedback (a PR with improvements) would be Ace!

@nelsonic
Copy link
Member Author

nelsonic commented Jul 3, 2018

I consider this to be done.
GOTO: https://github.com/dwyl/phoenix-ecto-encryption-example

@nelsonic nelsonic closed this as completed Jul 3, 2018
@SimonLab SimonLab mentioned this issue Nov 21, 2019
Closed
15 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nelsonic nelsonic

Labels
enhancement New feature or enhancement of existing functionality priority-2 Second highest priority, should be worked on as soon as the Priority-1 issues are finished question A question needs to be answered before progress can be made on this issue T1d Time Estimate 1 Day
Projects
Nelson's List
  
Done
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nelsonic