How to Encrypt/Decrypt Sensitive Data in Elixir?

Question

How to Encrypt/Decrypt Sensitive Data in Elixir?

nelsonic opened this issue 6 years ago · comments

Scenario

We want to encrypt (personal) data before storing it in PostgreSQL.
So that if for any reason the DB is ever "compromised" through SQL injection or other "attack",
the data is strongly encrypted and thus the "leak" is (somewhat) "mitigated".
read: https://security.stackexchange.com/questions/56278/field-level-encryption-vs-disk-encryption-for-pci-compliance

The starting point is to read the Erlang crypto docs: http://erlang.org/doc/man/crypto.html
It has lots of detail but few practical examples ...

Requirement

Use Symmetric Key Encryption
Determine additional CPU/Memory load impact from encrypting individual fields vs. entire record.

We read: https://github.com/rubencaro/cipher which is "overkill" for what we need.

Example code:

# encryption key
key = :crypto.hash(:sha256, "get key from aws parameter store") |> Base.encode16
# initialisation vector
iv = "clave2 con chicha" |> String.slice(0,16)
# data
data = "Hello World!"
IO.puts "data (before encryption): " <> data
# encrypt:
encrypted = :crypto.aes_cbc_128_encrypt  key, iv, data
IO.puts "encrypted: " <> encrypted

Looked at: https://github.com/danielberkompas/cloak

Nelson · Answer 1 · Mon Feb 26 2018 20:04:45 GMT+0800 (China Standard Time)

I'm working on this: https://github.com/nelsonic/phoenix-ecto-encryption-example
as a general example with a practical recommendation.
It's not a P1 because it's not "costing us money" or "causing us losses"
(so if there is anything "more urgent" I need to focus on, please just assign it to me!)
But this is relevant to all our projects/clients because encryption "at rest" for all data
is essential for data protection ...

https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

lol!
anyway ... preparing-for-the-gdpr-12-steps.pdf

Nelson · Answer 2 · Mon Feb 26 2018 20:25:10 GMT+0800 (China Standard Time)

This is a good (quick) read on the subject of Encryption and GDPR:
https://www.linkedin.com/pulse/gdpr-encryption-mandatory-gary-hibberd

Conclusion: it's NOT a "requirement".
It's an <option> that data processors can/should consider.
But given that no real detail is given in the GDPR doc, we don't have much to go on.

So we are proactively implementing encryption at rest for all personal data. 🔐

Nelson · Answer 3 · Fri May 18 2018 19:16:53 GMT+0800 (China Standard Time)

The example/tutorial is ready for "early review":
https://github.com/dwyl/phoenix-ecto-encryption-example
@Cleop if you have time to give some feedback (a PR with improvements) would be Ace!

Nelson · Answer 4 · Wed Jul 04 2018 05:22:36 GMT+0800 (China Standard Time)

I consider this to be done.
GOTO: https://github.com/dwyl/phoenix-ecto-encryption-example