BlindIndex::Error: Key must use binary encoding

Question

BlindIndex::Error: Key must use binary encoding

ACPK opened this issue 6 years ago · 2 comments

I'm using kms_encrypted and google-api-client.

My migration file was:

class AddEncryptedEmailToUsers < ActiveRecord::Migration[5.2]
  def change
    # encrypted data
    add_column :users, :encrypted_email, :text
    add_column :users, :encrypted_email_iv, :text
    add_column :users, :encrypted_kms_key, :text

    # blind index
    add_column :users, :encrypted_email_bidx, :text
    add_index :users, :encrypted_email_bidx, unique: true

    # drop original here unless we have existing users
    remove_column :users, :email
  end
end

My user.rb file includes:

has_kms_key
attr_encrypted :email, key: :kms_key

attr_encrypted :email, key: ENV["EMAIL_ENCRYPTION_KEY"]
blind_index :email, key: ENV["EMAIL_BLIND_INDEX_KEY"]

My .ENV includes:

EMAIL_ENCRYPTION_KEY=00000000000000000000000000000000
EMAIL_BLIND_INDEX_KEY=99999999999999999999999999999999

I get the error when running:

u = User.first
u.email = 'test@test.com'
u.save

The fix seems to be that I need to use "SecureRandom.hex(32)" to generate the "EMAIL_BLIND_INDEX_KEY" rather than the one listed in Readme.md.

Are there any other changes I need to make in order to have blind_index compatible with kms_encrypted?

Answer 1 · 2018-10-29T08:03:33.000Z

Hey @ACPK, the problem is your model and keys don't reflect what's in the readme.

Answer 2 · 2020-06-01T18:00:46.000Z

This is more related to Lockbox than Blind Index, but I wanted to post this for anyone who stumbles across this in the future: you can’t use rake secret (which creates a 128 character string) to generate the LOCKBOX_MASTER_KEY or you will get this “Key must use binary encoding” error from Lockbox. You need to use Lockbox.generate_key (which creates a 64 character string).