Hi Simon, the combination of symmetric and asymmetric encryption as used in Strongbox works and performs quite well for me. The author of Strongbox has explained in detail how to do this in his blog (http:// stuff-things.net/2008/02/05/encrypting-lots-of-sensitive-data-with- ruby-on-rails/). As far as I know, you don't have to encrypt the IV, just the random password.
In my app, every user has his own pair of keys and the private key is stored encrypted with the users password. This works fine, as long as strong passwords are selected. You can make it harder to brute force the key through password salting and stretching (http:// en.wikipedia.org/wiki/Key_strengthening). When a user is logged in, his password is sttored temprarily in the session cookie. To prevent cookie sniffing, you should use encryption for this as well. Throug this, the encryption and decryption works transparently in the background without the users even noticing. Sam --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
