ActiveStash launch
June 23, 2022
launch
Today we're proud to announce ActiveStash, bringing encrypted search to your Ruby on Rails applications.
Application-level encryption is a powerful tool to protect sensitive data in your ActiveRecord models.
Rails 7 introduced ActiveRecord Encryption into Rails itself, exposing more developers to application-level encryption.
Application-level encryption helps developers protect sensitive data like:
- Personally Identifying Information, like names, addresses, email addresses, dates of birth, drivers license numbers, passport numbers
- Protected Health Information, like medicare numbers, social security numbers, health insurance beneficiary numbers
- Financial transactions details, like amounts paid, account numbers, and transaction descriptions
However, there is a major drawback to this approach:
When a record is encrypted, it can't be queried!
Simple lookups are impossible, let alone free-text search or range queries.
ActiveStash completely removes this roadblock.
ActiveStash allows developers to perform exact, free-text, and range queries on their ActiveRecord models using application-level encryption. ActiveStash is built on top of the CipherStash encrypted search index.
For more information on ActiveStash, check out our post on searching encrypted data with Active Record and ActiveStash.
ActiveStash works with any database that ActiveRecord supports
The big advantage of the application-level encryption is that it doesn't rely on database features to work.
This means that you can encrypt data in any of the databases Rails supports, and search them with ActiveStash:
PostgreSQL, MySQL and its ilk, SQL Server, SQLite, and Oracle.
ActiveStash works with ActiveRecord
ActiveStash works with application-level encryption libraries like Lockbox and Active Record Encryption.
Querying capabilities
Queries use ActiveStash::Search
which wraps ActiveRecord::Relation
so the majority of queries you can do in ActiveRecord can be done using ActiveStash.
Exact
Matches if the query term is identical to the value in the record.
User.query(email: "foo@example.com)
Range
Range indexes allow you to execute queries that find all records with a value less-than, greater-than, or between specified values.
You can also do equality comparisons, so you don’t need both an exact and range index over the same field.
> User.query { |q| q.dob > 50.years.ago }
Free text
A match index provides full-text search capabilities on encrypted data.
> User.query { |q| q.name =~ "ace" }
Pricing
ActiveStash is free to use for indexing up to 10,000 record per month, and returning 100,000 records in searches per month.
You can using our pricing calculator on our pricing page, and learn about other addons that help you secure your sensitive customer data.
Signup
After installing ActiveStash to your Rails application, sign up using rake active_stash:signup
.
- Add ActiveStash to your Gemfile
gem "active_stash"
- Install
bundle install
- Signup
rake active_stash:signup
Using ActiveStash in production
Finally, once you're ready to take ActiveStash to production, you can follow our guide to use ActiveStash in a headless environment such as production or CI.
ActiveStash is open source
You can check out the code for ActiveStash on GitHub.
Upcoming features
Performance of bulk inserts and re-indexing
Our backend supports a gRPC streaming API but ActiveStash does not yet make use of it. This is most noticable when your data is initially indexed. We're actively working on addressing this.
A tip to increase the performance is to limit the amount of indexes to be exactly what is required to support your queries. The following example will only generate a match
index on full_name
instead of match
, exact
& range
(the default).
Here's how to limit the index type generated for a specific field.
stash_index :full_name, :only => [:match]
The index terms are encrypted and generated on the client side (CipherStash cannot see your keys!) and must be shipped over the network, so it pays to only generate indexes that you need to support your specific query patterns.
Configurable full text search text processing pipelines
Currently the match
index type uses the following defaults and does not expose a way for the end user to customise it.
- split into tokens on whitespace
- downcase all tokens
- split the tokens using ngram with a 3 character token length
We are working on bringing a range of tokenisation and filtering options to full text search in ActiveStash.