September 9, 2022
ActiveStash Assess is a tool to identify where sensitive data lives in your Rails 7 app's database, and tracking your progress on encrypting it.
ActiveStash Assess comes in two parts:
- A Rake task for identifying database fields that include sensitive data (like Personally Identifying Information, Protected Health Information)
- An RSpec Matcher for verifying what fields have been encrypted in your database
Identify database fields with sensitive data
To start using ActiveStash Assess, ensure you are running Rails 7, and upgrade to version
0.9.0 of ActiveStash in your Rails application.
Run an assessment by running:
This will print results to
stdout in a human-readable format:
User: - User.name is suspected to contain: names (AS0001) - User.email is suspected to contain: emails (AS0001) - User.gender is suspected to contain: genders (AS0001) - User.ccn is suspected to contain: credit card numbers (AS0003) - User.dob is suspected to contain: dates of birth (AS0001) Online documentation: - https://docs.cipherstash.com/assess/checks#AS0001 - https://docs.cipherstash.com/assess/checks#AS0003 Assessment written to: /Users/you/your-app/active_stash_assessment.yml
Follow those links to learn more about why this data is considered sensitive, why adversaries want it, and what regulations and compliance frameworks cover this data.
Track your encryption progress
active_stash:assess Rake task also writes a results file to
active_stash_assessment.yml in your Rails project root.
We recommend you commit this file to your repo, so you can track your progress on encrypting these fields over time.
Once this report is generated, you can use the
encrypt_sensitive_fields RSpec matcher to verify that a model encrypts fields that were identified by
For example, to verify that all identified sensitive fields on the
User model are encrypted, add this to
require 'active_stash/matchers' describe User do it "encrypts sensitive fields", pending: "unenforced" do expect(described_class).to encrypt_sensitive_fields end end
When you run your test suite with
rake spec, you will see output similar to this:
This helps you keep track of what fields you need to encrypt, as you incrementally roll out Application Level Encryption on your app.
As the example above shows, we recommend you start out by marking the test as pending. This will stop the test from failing while you incrementally encrypt database fields. Once you have encrypted all the fields identified by ActiveStash Assess, remove the pending so your tests will fail if the database field becomes unencrypted.
ActiveStash Assess does not require a CipherStash account to use, and is shipped as part of ActiveStash in version