How do I encrypt a file upload in Rails with Lockbox?

Lockbox integrates with Active Storage, CarrierWave, or Shrine. For Active Storage, add `encrypts_attached` to your model, but note that variants won't work. Serve files via a controller action using `send_data` as shown in the README.

Lockbox vs attr_encrypted: which is better for Rails?

Lockbox is more modern with zero dependencies, better key rotation, and file encryption support. attr_encrypted is older but widely used; Lockbox offers easier migration paths and updated cryptography, making it preferable for new projects.

Can I search encrypted database fields with Lockbox?

No, Lockbox doesn't support querying encrypted data directly. You need to use Blind Index, a separate gem by the same author, to create searchable indexes without exposing plaintext.

How to rotate encryption keys in Lockbox without downtime?

Set previous keys in the initializer using `previous_versions`, then use `Lockbox.rotate` for records or similar methods for files. The README details step-by-step migrations for Active Record and uploaders.

Does Lockbox work with Mongoid or only Active Record?

Yes, Lockbox supports Mongoid for encrypting fields in MongoDB, with similar syntax to Active Record. The README includes examples for model setup and data migration.

What encryption algorithms does Lockbox use by default?

Lockbox defaults to AES-GCM with 256-bit keys, which is NIST recommended and fast. It also supports XSalsa20 and hybrid cryptography if Libsodium is installed.

How to handle direct uploads with encrypted files in Lockbox?

Direct uploads can't be encrypted with application-level encryption like Lockbox. The README admits this limitation and suggests server-side encryption or workarounds, which may require extra configuration.

lockbox — Modern Encryption for Ruby & Rails

What is lockbox?

Lockbox is a modern encryption library for Ruby and Rails that provides application-level encryption for database fields, files, and strings. It solves the problem of securing sensitive data in Ruby applications by offering seamless integration with popular ORMs and file upload libraries, ensuring data is encrypted at rest without disrupting existing workflows.

Target Audience

Ruby and Rails developers who need to encrypt sensitive data like emails, files, or user information in their applications, particularly those using Active Record, Active Storage, or other supported libraries.

Value Proposition

Developers choose Lockbox for its zero-dependency design, ease of migration from existing data, and comprehensive support for key rotation and multiple encryption algorithms. Its focus on compatibility with existing code and libraries reduces the friction of adding encryption to Rails applications.

Modern encryption for Ruby and Rails

Use Cases

Best For

Encrypting sensitive database columns like emails or phone numbers in Rails applications
Securing file uploads in Active Storage, CarrierWave, or Shrine with encryption
Migrating existing unencrypted data to encrypted columns without downtime
Implementing key rotation for encryption keys in production environments
Adding encryption to Action Text rich text content in Rails
Using hybrid cryptography to allow servers to encrypt data without decryption capabilities

Not Ideal For

Systems requiring full-disk or database-level encryption, as Lockbox operates at the application layer only
High-performance applications where encryption overhead could bottleneck real-time data processing
Projects needing seamless support for Active Storage variants and previews with encrypted files
Environments mandating FIPS-certified cryptographic algorithms not provided by default

Pros & Cons

Pros

Zero Dependencies

Lockbox has no external dependencies by default, keeping it lightweight and easy to integrate, though optional Libsodium support is available for advanced features like XSalsa20.

Easy Migration & Rotation

It provides built-in tools for encrypting existing data without downtime and rotating keys, with clear examples for Active Record and file uploaders in the README.

Broad Library Integration

Lockbox seamlessly works with Active Record, Active Storage, CarrierWave, Shrine, and others, supporting serialized fields and types for maximum compatibility.

Modern Cryptography Options

Defaults to AES-GCM with 256-bit keys, and offers advanced options like XSalsa20 and hybrid cryptography, with detailed setup instructions for each.

Cons

Limited File Feature Support

When encrypting Active Storage files, variants and previews aren't supported, and metadata extraction is disabled, impacting user experience for media-heavy apps.

Libsodium Dependency for Advanced Features

Using XSalsa20 or hybrid cryptography requires installing Libsodium separately, adding platform-specific setup complexity and potential maintenance overhead.

No Built-in Querying

Encrypted fields cannot be queried directly; developers must integrate the separate Blind Index gem for search functionality, adding another dependency.

Performance Overhead for Large Data

Encryption and decryption add computational cost, which might be significant for applications handling high volumes of data or frequent file operations.

Frequently Asked Questions

What is lockbox?

Target Audience

Value Proposition

Use Cases

Best For

Encrypting sensitive database columns like emails or phone numbers in Rails applications
Securing file uploads in Active Storage, CarrierWave, or Shrine with encryption
Migrating existing unencrypted data to encrypted columns without downtime
Implementing key rotation for encryption keys in production environments
Adding encryption to Action Text rich text content in Rails
Using hybrid cryptography to allow servers to encrypt data without decryption capabilities

Not Ideal For

Systems requiring full-disk or database-level encryption, as Lockbox operates at the application layer only
High-performance applications where encryption overhead could bottleneck real-time data processing
Projects needing seamless support for Active Storage variants and previews with encrypted files
Environments mandating FIPS-certified cryptographic algorithms not provided by default

Pros & Cons

Pros

Zero Dependencies

Lockbox has no external dependencies by default, keeping it lightweight and easy to integrate, though optional Libsodium support is available for advanced features like XSalsa20.

Easy Migration & Rotation

It provides built-in tools for encrypting existing data without downtime and rotating keys, with clear examples for Active Record and file uploaders in the README.

Broad Library Integration

Lockbox seamlessly works with Active Record, Active Storage, CarrierWave, Shrine, and others, supporting serialized fields and types for maximum compatibility.

Modern Cryptography Options

Defaults to AES-GCM with 256-bit keys, and offers advanced options like XSalsa20 and hybrid cryptography, with detailed setup instructions for each.

Cons

Limited File Feature Support

When encrypting Active Storage files, variants and previews aren't supported, and metadata extraction is disabled, impacting user experience for media-heavy apps.

Libsodium Dependency for Advanced Features

Using XSalsa20 or hybrid cryptography requires installing Libsodium separately, adding platform-specific setup complexity and potential maintenance overhead.

No Built-in Querying

Encrypted fields cannot be queried directly; developers must integrate the separate Blind Index gem for search functionality, adding another dependency.

Performance Overhead for Large Data

Encryption and decryption add computational cost, which might be significant for applications handling high volumes of data or frequent file operations.

Frequently Asked Questions

lockbox

What is lockbox?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

lockbox

What is lockbox?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?