acts_as_lockbox for your Rails Models
[ Posted by James Harton ]
After yesterday's post about using Lockbox to secure your models, I have implemented an acts_as_lockbox extension to ActiveRecord::Base. Here's a quick tutorial on how to make it work:
Installing Lockbox
From within your Rails application I would suggest using the plugin script to install the latest version of Lockbox directly from GitHub and checking for updates regularly, as this is a piece of security infrastructure you need to be able to rely on.
# ./script/plugin install git://github.com/jamesotron/Lockbox.git
Configuring your public and private keys
In order to securely encrypt secrets we need both a public and private key, and a pass phrase. We will just use the openssl command-line tool to generate these keys, first the private key. Make sure you select a pass phrase which would be non-trivial to guess.
# openssl genrsa -des3 -out private.pem 2048
..................................................................................................................+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for private.pem:
Verifying - Enter pass phrase for private.pem:
Next we will extract the public key from the private key so that we can use it:
# openssl rsa -in private.pem -out public.pem -outform PEM -pubout
Enter pass phrase for private.pem:
writing RSA key
Move these files into your Rails application path, (I'd suggest putting them under config/) and make sure that they are only readable from by your rails application.
The next step is to configure your config/lockbox.yml to tell Lockbox where to access the public and private keys, and optionally the pass phrase (I would not recommend this, except for your test environment or if you are absolutely certain that the pass phrase cannot be compromised).
# cat <<EOF > config/lockbox.yml
development:
public_key_path: config/public.pem
private_key_path: config/private.pem
testing:
public_key_path: vendor/plugins/lockbox/test/public.pem
private_key_path: vendor/plugins/lockbox/test/private.pem
pass_phrase: test
production:
public_key_path: config/public.pem
private_key_path: config/private.pem
EOF
Using the Lockbox API
Lockbox is a generic PK en/decryption system, meaning you can use it anywhere in your Rails app, not just in your models. The Lockbox API is very simple:
Lockbox.locked?tests if the Lockbox is still locked (ie: no correct pass phrase has been supplied yet)Lockbox.unlocked?the inverse of the above.Lockbox.try? (pass_phrase)attempt to unlock the Lockbox using the supplied pass phrase. Returns true or false depending on success.Lockbox.lock!abandons access to the public and private keys, stopping your application from being able to retrieve encrypted secrets.Lockbox.encrypt (val)encrypts a string using the public key, if the lockbox is unlocked.Lockbox.decrypt (val)decrypts an encrypted string using the private key, provided the lockbox is unlocked.
Using Lockbox in your Models
Using Lockbox in your models is as simple as using acts_as_lockbox into your model's class. acts_as_lockbox adds the locked?, unlocked?, try? and lock! methods to your model's class and creates accessors for fields supplied in the an array to the :for argument:
class User < ActiveRecord::Base
acts_as_lockbox :for => [ :password, :credit_card ]
end
In the above example if you try and access the password or credit_card fields without providing Lockbox with the pass phrase (via the Lockbox.try? or User.try? methods) then Lockbox will raise a StillLockedException.
Stopping your application from running until the Lockbox is unlocked
Because you haven't used an easily guessable pass phrase (right?) I don't see any problem with hijacking any web requests using a before_filter on your ApplicationController class:
class ApplicationController < ActionController::Base
before_filter :check_unlocked
def check_unlocked
if Lockbox.locked?
if !Lockbox.try? params[:pass_phrase]
render :partial => 'unlock'
end
end
end
Alternatively you could redirect requests to a "down for maintenance" page.
