2

All the time I read about web services that defend user data by encrypting everything. In case of theft of the database, everything is safe (provided we assume all the usual stuff of cryptography).

I'm playing with a small Sinatra application (not really planning to launching it, it's more for an educational purpose) using the DataMapper ORM on top of Sqlite. I implemented basic user authentication (hashing and salting...all the usual stuff, in short) and I am happy with it.

The fact is that the core of the application requires personal information about the user: weights and other bodily measurements (which can be without any doubt considered personal and sensitive data, which people might not want to be public). So I'm wondering, how can I safely store that data? In the application everything is accessed only by the proper user (although being quite a beginner in this things and having coded almost everything by hand, I'm quite sure there are a lot of security bugs..but as I said I'm not really planing to do anything with it).

I thought about encrypting it using the user password and decrypting it after successfull authentication, but then what if the password is forgotten? What if the password is changed? I read (here on SO) that for these reasons it's best not to do it in this way.. but then how can it be done?

4

1 回答 1

0

您可以执行 agem install attr_secure然后对 ruby​​ 对象执行以下操作:

设置环境的 ATTR_SECURE_SECRET,因此在应用程序中执行 ENV["ATTR_SECURE_SECRET"] 即可。此外,为加密值设置/更改任何表列,以便它们可以保存长的加密值。

现在您可以执行此操作(来自 attr_secure 自述文件的示例):

class Report < ActiveRecord::Base
  attr_secure :secret_value
end

r = Report.new
r.secret_value = "ThisIsATest"
r.save
=> #<Report id: 116, secret_value: "EKq88AMFeRLqEx5knUcoJ4LOnrv52d7hfAFgEKMoDKzqNei4m7k...">

r = Report.find(116)
r.secret_value
=> "ThisIsATest"

您可以在以下位置阅读更多信息:https ://github.com/neilmiddleton/attr_secure

于 2015-03-21T07:28:28.633 回答