Sequel-vault

Use fernet to encrypt columns values in your Sequel database.

Installation

Install it directly using gem:

gem install sequel_vault

Or adding it to your Gemfile:

gem "sequel_vault"

Usage

Configure

A straightforward example, passing keys and columns that will be encrypted transparently:

class Credential < Sequel::Model
  plugin :vault, ['9cLL4qVO+bkEqGQtcvQX4Cz4uJ1ni9Nb83ipU/9klsw='], :token
end

Along with a typical migration for this setup:

Sequel.migration do
  change do
    alter_table(:credentials) do
      add_column(:token, :bytea)
      add_column(:token_digest, :bytea)
      add_column(:key_id, :smallint)
    end
  end
end

Keys

Vault use fernet behind the scene, the keys should be 32 bytes of random data, base64-encoded.

To generate one you can use:

$ dd if=/dev/urandom bs=32 count=1 2>/dev/null | openssl base64

You can specify more than one key to be used. The last keys of the array will be used as the default for encryption.

Keys migration

If a key_id column is present, vault will set its value to the length of the keys array. You can check if a key is still in use using:

Credential.where(key_id: 1).empty?

You should avoid removing a key when using key_id, unless you proceed to migrate its value.

Here is a migration example to add a key_id column:

Sequel.migration do
  change do
    alter_table(:credentials) do
      add_column(:key_id, :smallint)
    end
  end
end

Digest lookup

To allow lookup by a know secret, vault allow an optional digest column for each encrypted attribute, using the _digest suffix:

Sequel.migration do
  change do
    alter_table(:credentials) do
      add_column(:token_digest, :bytea)
    end
  end
end

You can then lookup using the provided dataset lookup:

Credential.token_lookup('secret')

Unencrypted data

Vault will return plain-text data if none of the keys can successfully decrypt the stored value, effectively allowing encrypt on write migration.