Blind index with key stored at KMS issue
brovikov opened this issue · 1 comments
brovikov commented
Please help!
First of all great thanks for all your opensource works! You're doing a great stuff!
I have a problem with adding blind index with key stored at KMS with awesome gem kms_encrypted:
user.rb
class User < ApplicationRecord
has_kms_key name: :blind_index_email, key_id: ENV['EMAIL_BLIND_INDEX_KEY']
blind_index :email, key: :kms_key_blind_index_email.env
EMAIL_BLIND_INDEX_KEY=insecure-test-key
For User.kms_keys I have response:
=> {:kms_key_blind_index_email=>{:key_id=>"insecure-test-key", :name=>:blind_index_email,
:version=>1, :previous_versions=>nil, :upgrade_context=>false}
But got following error:
BlindIndex::Error:
Key must use binary encoding
ankane commented
Hey @brovikov, you won't be able to use has_kms_key for the blind index key, since blind index needs the same key for every row. You can still store that key in KMS, but need to:
- Generate a blind index key
- Encrypt that key with KMS
- Store the encrypted value with the rest of your secrets
- Update your model to use key (pseudocode below)
class User < ApplicationRecord
blind_index :email, key: -> { @@email_blind_index_key ||= decrypt(encrypted_value) }
end