1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

3 commits

Author SHA1 Message Date
Jorge Manrubia
f78a480818 Encourage deterministic encryption to remain unchanged
This implements several changes to encourage deterministic encryption to
remain unchanged. The main motivation is letting you define unique
indexes on deterministically-encrypted columns:

- By default, deterministic encryption will always use the oldest
encryption scheme to encrypt new data, when there are many.
- You can skip this default behavior and make it always use the current
encryption scheme with:

```ruby
deterministic: { fixed: false } # using this should be a rare need
```

- Deterministic encryption still supports previous encryption schemes
normally. So they will be used to add additional values to queries, for
example.
- You can't rotate deterministic encryption keys anymore. We can add
support for that in the future.

This makes for reasonable defaults:

- People using "deterministic: true" will get unique indexes working out
of the box.
- The system will encourage keeping deterministic encryption stable:
  - By always using oldest encryption schemes
  - By forbidding configuring multiple keys

But you can still opt-out of the default if you need to.
2021-04-01 15:02:15 +02:00
Jorge Manrubia
1406ac294f Remove new lines 2021-04-01 15:02:14 +02:00
Jorge Manrubia
638a92f734 Initial extraction from active_record_encryption gem 2021-04-01 15:02:13 +02:00