Simon wrote: > Hi, > > I have an application where I want to be able to encrypt large amounts > of text before storing them to my DB (MySQL Text field - might be > switched to a Blob). I have an idea of how to do this, but was > wondering what the general consensus is within the community regarding > the issue.
You should probably use a blob field unless you also Base64 encode the encryption, which then would allow you to use a text field. > I have come across a couple different plug ins/gems (Stringbox, > EzCrypto), but am wondering what other people are using. I like the A lot of the UNIX based systems (including Mac OS X) have the OpenSSL library pre-installed. OpenSSL contains all the modern crypto functionality you should ever need for this. Checkout the Ruby OpenSSL support. > idea of using Symmetric-key cryptography (and in particular, I would > like to be using Twofish), and then probably encrypting the random > password and IV for each encryption using a public key scheme. Why Twofish when there exists the very popular AES (Rijndael algorithm) that is really fast and very strong? In any case you certainly want to use a symmetric algorithm. Public/Private key encryption is very slow and inefficient. Use public key encryption only to encrypt the keys for the symmetric algorithm, but then only if you have to trasmitt the keys over a public network. If all the encryption occurs server-side there is no need to encrypt any keys. Just use the same security mechanisms to protect your symmetric key(s) as you would for protecting a private key. > I guess I am wondering what other people's response to such an > approach is, and whether or not there are suggestions for other > approaches. My main concern with the approach noted above is how to > secure the private key used to encrypt the key and IV used to encrypt > the actual text. Securing the private key is easy, NEVER let anyone else gain access to it. :) You just have to setup the security of the system so that there is no public access to whatever is storing your private keys. > I am also wondering if using Twofish is possible with a Rails app. > From what I have seen in the openSSL documentation, only Blowfish - > the predecessor to Twofish - is availble, or AES. Again AES is the algorithm I would choose. It's the most advanced symmetric algorithm I'm aware of and is the one used in the SSL/TLS protocols. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
