search

spikex / strongbox

Secures ActiveRecord attributes with public key encryption
http://stuff-things.net/2009/04/17/introducing-strongbox/
MIT License
398 stars 42 forks source link

Current state of this gem #49

Open ehannes opened 8 years ago

ehannes commented 8 years ago

What is the current state of this gem? According to the Readme:

Strongbox is tested against Rails 2.3 and 3.x using Ruby 1.8.7, 1.9.2, and 1.9.3.

I see there is an unmerged pull request from 2014 to update support for Rails 4.1 and Ruby 2.1. Now, Rails 5 is out. Is this gem maintained anymore?

jakeonrails commented 7 years ago

Just my observation that upgrading to Ruby 2.4 breaks this gem with the following error:

OpenSSL::OpenSSLError:
       password must be at least 4 bytes

The line of code that breaks is lock.rb:49

        # Using a blank password in OpenSSL::PKey::RSA.new prevents reading
        # the private key if the file is a key pair
        public_key = get_rsa_key(@public_key,"")

The double quotes is a hard coded 'password', and that is the field that is expected to be 4 bytes or longer. There does not seem to be any way to configure this or force it to use a 4 byte (or longer) password, without monkey patching the gem.

Are you aware of any alternatives to this library, @ehannes , especially those which would allow us to continue using the current data in our database without a tedious decrypt/re-encrypt migration?

ruan-brandao commented 6 years ago

I've noticed that the master branch is being updated, but there are no new releases since 2015. I am not sure about the status of the gem. Is it being mantained?

ehannes commented 6 years ago

I would say no since no maintainer has answered this question in 1,5 year :(