How to Encrypt/Decrypt Sensitive Data in Elixir?
nelsonic opened this issue · comments
Scenario
We want to encrypt (personal) data before
storing it in PostgreSQL.
So that if for any reason the DB is ever "compromised" through SQL injection or other "attack",
the data is strongly encrypted and thus the "leak" is (somewhat) "mitigated".
read: https://security.stackexchange.com/questions/56278/field-level-encryption-vs-disk-encryption-for-pci-compliance
The starting point is to read the Erlang crypto
docs: http://erlang.org/doc/man/crypto.html
It has lots of detail but few practical examples ...
Requirement
- Use Symmetric Key Encryption
- Determine additional CPU/Memory load impact from encrypting individual fields vs. entire record.
We read: https://github.com/rubencaro/cipher which is "overkill" for what we need.
Example code:
# encryption key
key = :crypto.hash(:sha256, "get key from aws parameter store") |> Base.encode16
# initialisation vector
iv = "clave2 con chicha" |> String.slice(0,16)
# data
data = "Hello World!"
IO.puts "data (before encryption): " <> data
# encrypt:
encrypted = :crypto.aes_cbc_128_encrypt key, iv, data
IO.puts "encrypted: " <> encrypted
Looked at: https://github.com/danielberkompas/cloak
I'm working on this: https://github.com/nelsonic/phoenix-ecto-encryption-example
as a general example with a practical recommendation.
It's not a P1
because it's not "costing us money" or "causing us losses"
(so if there is anything "more urgent" I need to focus on, please just assign it to me!)
But this is relevant to all our projects/clients because encryption "at rest" for all data
is essential for data protection ...
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
lol!
anyway ... preparing-for-the-gdpr-12-steps.pdf
This is a good (quick) read on the subject of Encryption and GDPR:
https://www.linkedin.com/pulse/gdpr-encryption-mandatory-gary-hibberd
Conclusion: it's NOT a "requirement".
It's an <option>
that data processors can/should consider.
But given that no real detail is given in the GDPR doc, we don't have much to go on.
So we are proactively implementing encryption at rest for all personal data. 🔐
The example/tutorial is ready for "early review":
https://github.com/dwyl/phoenix-ecto-encryption-example
@Cleop if you have time to give some feedback (a PR with improvements) would be Ace!
I consider this to be done.
GOTO: https://github.com/dwyl/phoenix-ecto-encryption-example