mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
f78a480818
This implements several changes to encourage deterministic encryption to
remain unchanged. The main motivation is letting you define unique
indexes on deterministically-encrypted columns:
- By default, deterministic encryption will always use the oldest
encryption scheme to encrypt new data, when there are many.
- You can skip this default behavior and make it always use the current
encryption scheme with:
```ruby
deterministic: { fixed: false } # using this should be a rare need
```
- Deterministic encryption still supports previous encryption schemes
normally. So they will be used to add additional values to queries, for
example.
- You can't rotate deterministic encryption keys anymore. We can add
support for that in the future.
This makes for reasonable defaults:
- People using "deterministic: true" will get unique indexes working out
of the box.
- The system will encourage keeping deterministic encryption stable:
- By always using oldest encryption schemes
- By forbidding configuring multiple keys
But you can still opt-out of the default if you need to.
|
||
|---|---|---|
| .. | ||
| cipher | ||
| performance | ||
| cipher_test.rb | ||
| concurrency_test.rb | ||
| configurable_test.rb | ||
| contexts_test.rb | ||
| derived_secret_key_provider_test.rb | ||
| deterministic_key_provider_test.rb | ||
| encryptable_record_api_test.rb | ||
| encryptable_record_test.rb | ||
| encrypted_fixtures_test.rb | ||
| encrypting_only_encryptor_test.rb | ||
| encryption_schemes_test.rb | ||
| encryptor_test.rb | ||
| envelope_encryption_key_provider_test.rb | ||
| extended_deterministic_queries_test.rb | ||
| helper.rb | ||
| key_generator_test.rb | ||
| key_provider_test.rb | ||
| key_test.rb | ||
| message_serializer_test.rb | ||
| message_test.rb | ||
| null_encryptor_test.rb | ||
| properties_test.rb | ||
| read_only_null_encryptor_test.rb | ||
| scheme_test.rb | ||
| unencrypted_attributes_test.rb | ||