lockbox icon indicating copy to clipboard operation
lockbox copied to clipboard
verified publisher icon ankane

Ideas

Open ankane opened this issue 3 years ago • 0 comments

Please create a new issue to discuss any ideas or share your own.

3.0

  • [ ] Change previous_versions to inherit top-level values (add warning first) - #180

Ideas

  • [ ] Add binary option to replace encode (and eventually encode by default for Lockbox.new)
  • [ ] Decode to UTF-8 unless binary: true - utf8 branch
  • [ ] (breaking) Don't encode in Base64 for binary database fields if simple to implement
  • [ ] (breaking) Create new blobs when blobs are attached without encrypted flag
  • [ ] Prefer encrypt_attribute and decrypt_attribute over generate_attribute_ciphertext and decrypt_attribute_ciphertext
  • [ ] Add support for cache stores (Lockbox::Redis and Lockbox::Dalli - cache_stores branch - or Lockbox::Cache::Store for Active Support cache store)
  • [ ] Use Fiddle for Libsodium - libsodium branch
  • [ ] Warn (and eventually throw error) if the master key is passed to Lockbox.new
  • [ ] Require allow_empty option to encrypt empty string without padding
  • [ ] Encrypt empty strings in database fields - model_empty_string branch
  • [ ] Add support for encrypted Active Storage service (can wrap any other service) - more useful in 6.1+ since multiple services are supported (blocked since encryption needs to happen before checksum is computed)
  • [ ] Store the encryption version to make it easy to see which data has been rotated and avoid trying multiple keys. Could be done in an optional new field (email_ciphertext_version, license_version, blob metadata) or directly in the ciphertext (needs to work for files/binary data)
  • [ ] Default padding for encoded strings to reduce data leakage (cons: less standard, slightly more space)
  • [ ] Prefer ActiveSupport.on_load(:action_text_rich_text) { ActionText::RichText.encrypts :body } over Lockbox.encrypts_action_text_body (more code but less magic)
  • [ ] Add pretty_print method (similar to inspect)

On hold

  • [ ] Support for streaming encryption (probably not needed) - streaming branch
  • [ ] Better support for KMS (store key in data/metadata instead of DB) - kms_encrypt branch
  • [ ] Shrine support - shrine branch - WIP

ankane avatar Jun 12 '22 01:06 ankane