Non-encrypted Confidential Information - Database - Elixir

Non-encrypted Confidential Information - Database - Elixir

Need

Ensure that user query information stored in the database is encrypted.

Context

  • Usage of Elixir (1.12.0 and above) for building scalable and concurrent applications
  • Usage of Ecto (3.7.1 and above) for database query and manipulation
  • Usage of Cloak (1.1.0 and above) for data encryption and protection

Description

Non compliant code

        defmodule MyApp.Repo.Migrations.CreateUser do
  use Ecto.Migration

  def change do
    create table(:users) do
      add :query, :string
      timestamps()
    end
  end
end

The code is insecure because it directly stores the user's queries into the database without any form of encryption. This allows anyone who has access to the database to view sensitive user query information.

Steps

  • Install the Cloak library to handle encryption and decryption of sensitive data.
  • Encrypt user query data before storing it in the database.
  • Decrypt the data when accessing it.

Compliant code

        defmodule MyApp.Repo.Migrations.CreateUser do
  use Ecto.Migration

  def change do
    create table(:users) do
      add :query, Cloak.Encrypted.Binary
      timestamps()
    end
  end
end

The code is secure because it encrypts the user's queries before storing them in the database. The query data is decrypted when accessed, ensuring the stored data is unreadable without the decryption key.

References