Lockbox: Now with Types

A new version of Lockbox was just released with support for types, making it easier to encrypt non-string fields.

class User < ApplicationRecord
  encrypts :born_on, type: :date
  encrypts :salary, type: :integer

Previously, you’d need to perform typecasting yourself, making it harder to work with encrypted fields. All of these types are supported:

Types are automatically detected for serialized fields for maximum compatibility with existing code and libraries.

class User < ApplicationRecord
  serialize :properties, JSON
  encrypts :properties # detects JSON type

It even works with custom serializers.


This release also adds support for padding. Padding can help conceal the exact length of messages. As the Libsodium docs explain:

Most modern cryptographic constructions disclose message lengths. The ciphertext for a given message will always have the same length, or add a constant number of bytes to it. For most applications, this is not an issue. But in some specific situations, [...] hiding the length may be desirable.

Suppose a person’s health is categorized as either:

Even if this value is encrypted, it’s easy to know the status of a person since each category has a different length, which carries over to the ciphertext. Padding addresses this by adding data to the end of each message before encryption. You can enable padding for a field with:

class Person < ApplicationRecord
  encrypts :health_status, padding: true

This expands all messages to a multiple of 16 bytes. You can configure the multiple as needed based on your data.

Get started with types and padding by grabbing the latest version of Lockbox today!

Published July 22, 2019

You might also enjoy

Hybrid Cryptography on Rails

Why and How to Keep Your Decryption Keys Off Web Servers

Client-Side Encryption with AWS and Ruby

All code examples are public domain.
Use them however you’d like (licensed under CC0).