Ideas

[ankane]

3.0

• Exclude blind index columns from serialized_hash (not great for inspect) - serialized_hash branch
• Drop support for Active Record < 5.2 and Ruby < 2.6

Ideas

• (waiting for AR release) add support for Active Record 6.1 - activerecord61 branch
• Add support for update_column and update_columns - update_columns branch
• Prefer sensitive: true or extra_sensitive: true over slow: true

[chmatos]

there is any way to do a select with order ? example: Customer.all.order(:name), where name is blinded.

[ankane]

No, you'll need to do sorting in memory (Customer.all.sort_by(&:name)). There is the concept of order-preserving encryption, but it leaks significantly more information than blind indexing.

[chmatos]

ok, thanks a lot ankane, and congratulations for the gem.

[tddrmllr]

Is it possible to support ranges? i.e,

class Post
  encrypts :date, type: :date
  blind_index :date
end

Post.where(date: ..Date.today)
Post.where(date: Date.today..)
Post.where(date: Date.yesterday..Date.today)

Or is it a similar issue to using order?

[ankane]

Since dates are discrete, you could pass an array of dates instead of a range. However, creating blind indexes on dates in general will leak a lot of information since it'll show which records have the same dates.

[mrjonesbot]

This might be a dumb question, but I'm trying to LIKE search against an encrypted column using Blind index and it doesn't seem possible.

Example.

Candidate.joins(:profile).where("candidate_profiles.encrypted_inmate_number ILIKE ?", "%W45%")
=> ERROR: column candidate_profiles.encrtyped_inmate_number does not exist

(profile is an alias in this example)

The only value I'm able to search against is the _bidx, but that is obviously not searching against the encrypted value.

Is there any way to achieve this kind of LIKE search for encrypted values?

Didn't want to open a separate issue since this seems in line with the design of encrypting data.

update
I was able to move in a different direction to avoid needing to do this.

[ankane]

fwiw, there's a section in the readme on this w/ alternative approaches.

[mrjonesbot]

fwiw, there's a section in the readme on this w/ alternative approaches.

Whoops, missed this in my haste 😬 . Appreciate the callout!

[ianrandmckenzie]

Any chance of adding Sequel support or guiding me on how I might go about implementing it?

See #10, janko/rodauth-rails#108

[ankane]

I don't have any plans to support Sequel, but you can check out model.rb and extensions.rb to see how it's done for Active Record. You could also use BlindIndex.generate_bidx to generate the blind index value manually before inserting into the database, and then again to query it.

# insert
users.insert(email_bidx: BlindIndex.generate_bidx("test@example.com", key: key))

# query
users.where(email_bidx: BlindIndex.generate_bidx("test@example.com", key: key))

[ianrandmckenzie]

Thanks for pointing me in the right direction, Andrew. This is needed for an active project, so I'll be diving in soon. If I'm feeling super ambitious, I may make a Sequel fork and try to remain as parallel as I can!

[ankane]

No problem. Also, if you haven't already seen it, it looks like Sequel has a plugin for searchable encryption. https://sequel.jeremyevans.net/rdoc-plugins/classes/Sequel/Plugins/ColumnEncryption.html