September 9, 2022

launch

ActiveStash Assess is a tool to identify where sensitive data lives in your Rails 7 app's database, and tracking your progress on encrypting it.

ActiveStash Assess comes in two parts:

Identify database fields with sensitive data

To start using ActiveStash Assess, ensure you are running Rails 7, and upgrade to version 0.9.0 of ActiveStash in your Rails application.

Run an assessment by running:

rake active_stash:assess

This will print results to stdout in a human-readable format:

User: - User.name is suspected to contain: names (AS0001) - User.email is suspected to contain: emails (AS0001) - User.gender is suspected to contain: genders (AS0001) - User.ccn is suspected to contain: credit card numbers (AS0003) - User.dob is suspected to contain: dates of birth (AS0001) Online documentation: - https://docs.cipherstash.com/assess/checks#AS0001 - https://docs.cipherstash.com/assess/checks#AS0003 Assessment written to: /Users/you/your-app/active_stash_assessment.yml

Follow those links to learn more about why this data is considered sensitive, why adversaries want it, and what regulations and compliance frameworks cover this data.

Track your encryption progress

The active_stash:assess Rake task also writes a results file to active_stash_assessment.yml in your Rails project root.

We recommend you commit this file to your repo, so you can track your progress on encrypting these fields over time.

Once this report is generated, you can use the encrypt_sensitive_fields RSpec matcher to verify that a model encrypts fields that were identified by rake active_stash:assess.

For example, to verify that all identified sensitive fields on the User model are encrypted, add this to spec/user_model_encrypted_spec.rb:

require 'active_stash/matchers' describe User do it "encrypts sensitive fields", pending: "unenforced" do expect(described_class).to encrypt_sensitive_fields end end

When you run your test suite with rake spec, you will see output similar to this:

Screenshot of RSpec run with failed ActiveStash Assess checks

This helps you keep track of what fields you need to encrypt, as you incrementally roll out Application Level Encryption on your app.

As the example above shows, we recommend you start out by marking the test as pending. This will stop the test from failing while you incrementally encrypt database fields. Once you have encrypted all the fields identified by ActiveStash Assess, remove the pending so your tests will fail if the database field becomes unencrypted.

The encrypt_sensitive_fields matcher currently verifies that fields have been encrypted using ActiveRecord Encryption, but support for Lockbox is planned.

ActiveStash Assess does not require a CipherStash account to use, and is shipped as part of ActiveStash in version 0.9.0.