1

Is it possible to set encryption for DynamoDB using Ruby / Ruby on Rails?

Does aws-sdk provide it?

Should I do that on my own?

Or it is not possible?

NOTE: There will be few the same Rails app running parallel and connected to the same DynamoDB.

Improve this question
1
  • check out the answer below Commented Jan 20, 2018 at 9:24

2 Answers 2

Reset to default
1

DynamoDB doesn't encrypt data for you. You would have to handle the encryption and decryption in your DynamoDB client code. There is a Java library for handling this, but I don't see one for Ruby.

Note that DynamoDB won't be able to perform meaningful queries against any fields that you have encrypted.

I would recommend using the AWS KMS service to manage the encryption key that your application uses to encrypt data before it inserts it into DynamoDB.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Encrypting critical fields with AWS KMS works well -- here's an example how to wrap it in a convenient module.

requires gem 'aws-sdk', '~> 2.0'

config/initializers/aws_kms.rb

# Helper for AWS KMS encryption / decryption:
#
# Example:
#
# cipherdata = Aws::KMS.encrypt('boring plain text')
#
# => "AQICAkSXnpkzAJrrzNcjlMxRK78jbKHnkPohQdSZ445Xv29z6C2ty433pG2rcs96IujEj4IXAa1rmSzJXfiQqw4LaFcluh3CYsFQOlOfhgh0LhPdiQhnIP7d0BzlIu3uRFzHLrhIpg2JssVsjnCLZstNkzerfiwYtGSNTpltVjaqJblz3kktSFNxnMoVOcJSlvTbuMdiD9yplGMDD3LC0YKjUZtEZIqEjt=="
#
# Aws::KMS.decrypt( cipherdata )
#
# => "boring plain text"
#
#
# Protects from AWS KMS calls if we are in TEST environment
#
module Aws::KMS

  def self.encrypt(plaintext)
    if Rails.env.test? || Rails.env.development?
      ['not_encrypted_in_test', plaintext].join('|') # faking encryption so we can test this without AWS
    else
      cipherdata = client.encrypt({
        key_id: ENV['KMS_ARN'],
        plaintext: plaintext,
      }).ciphertext_blob
      Base64.strict_encode64(cipherdata)
    end
  end

  def self.decrypt(ciphertext)
    if Rails.env.test? || Rails.env.development?
      ciphertext.split('|').second # faking decryption so we can test this without AWS
    else
      cipherdata = Base64.strict_decode64( ciphertext )

      client.decrypt({
        ciphertext_blob: cipherdata
      }).plaintext
    end
  end

  # this helper method can be called to check if the ENV variables are configured correctly:
  def self.setup_correct?
    plaintext = 'Hey, it works!'
    cipherdata = Aws::KMS.encrypt( plaintext )
    Aws::KMS.decrypt( cipherdata ) == plaintext
  end

  def self.client
    Aws::KMS::Client.new
  end

end
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.