Geek Answers Handbook

Recommendations for Using PGPrypto PGP Encryption with Heroku and Rails

Are there any security recommendations for using Rails and Heroku Postgres with the PGP public key pgcrypto.

A naive and direct way is to store the private key and password using Heroku ENV variables. However, it seems like it does not add much security, since now both values โ€‹โ€‹are easily accessible to anyone who has access to the environment.

The purpose of this would be to encrypt any confidential information, such as SINs, appropriately.

Scenario:

Suppose you have several fields that require a specific or standard privacy requirement that is required to store data, such as government identifiers (such as SINs). What is a suitable or even common process for encrypting this information with pgcrypto.

If anyone has an alternative suggestion for the script, I would be happy to include it as well.

+7
ruby-on-rails postgresql encryption heroku
source share
2 answers

This question has no answer until you determine your threat model, but your question assumes that you want to store information so that even people who have access to the server environment cannot read it, and in this case they really are only these options:

  • Do not store data at all. Depending on what you need, the data may not be available to you on your servers for any reason. For example, you can ask a user to enter their credit card number and immediately send it to the credit card processor without saving it (this means that you will need to ask their number again next time, unless the credit card processor puts it on for you.) Some payment processing schemes even send payment data directly to the processor, so your site should not touch this data at all. Depending on your requirements, this may or may not suit your needs.

  • Store data only as a hash , such as a password. This is useful if you really don't need data, but you just need to make sure that someone using your site has data. This is a universal solution for passwords and other "secrets", but is useless for other data.

  • Store data using public / private encryption and do not leave the private key on the server at all. This can work if, for example, the server has a public key in its environment, with which it stores data in a table, but the administrator must download the encrypted data and decrypt it locally in order to use it. Again, this has serious limitations, so you can only use it if your requirements on what to do with the data are compatible.

  • Store data with symmetric encryption on the client side , encrypted and decrypted only using the client key. So, for example, LastPass Works. This means that you, the server administrator, can do nothing with the data, except to return it to the user who introduced it. Once again, this only works if your requirements are very narrow.

If your requirements for what you do with the data are incompatible with any of the above, then you do not have the opportunity to seek help. You can encrypt data using symmetric encryption and save the key in the server environment as a protector against backups or access to the database, but not an application that fell into the wrong hands, but this does not correspond to the threat model of an attacker with access to the working environment.

There is no universal โ€œbest practiceโ€ because the trade-offs associated with processing a threat model in which an attacker has access to the environment are so great that only applications with very specific limited requirements can do this at all. If the server can read data, then there may be an attacker.

+4
source share

Heroku env

You get some benefit in storing the key in enok Heroku and encrypting it in the database, because then the attacker cannot get information from the database either by a direct break or by SQL injection.

You are still vulnerable to anyone who can infiltrate your application server, your Heroku account, or any Heroku or Amazon staff who can access the server.

Separate secure server

If you have a large team and / or subcontractors who can access your Heroku account, you can have a separate server on a separate account or even a separate more secure hosting, which will be responsible for keeping and loading secrets only to a few highly reliable people having access to it. It can be small and simple and only accept requests from application servers to minimize attack surface. The server can be designed in such a way as to limit the speed with which it provided confidential data from the database in order to prevent a complete dump from dumping, even if your main application server is hacked. He can access the same database or another system and perform encryption / decryption with each request to download / save from the application server before transmitting the result.

Doing this will lead to delay and complexity, but it is a compromise that you may consider against increased security. In order to obtain secret information in bulk, an attacker must either break into / gain access to the application server or slowly extract secret data from the protected server, without starting your intrusion detection systems or gaining direct access to your protected server in any way (which should be more difficult of the main server, since fewer accounts are intended for social engineering, guessing the password and surface area of โ€‹โ€‹direct attack should be less.).

+1
source share

More articles:


All Articles