SecureRandom.hex() 与 SecureRandom.random_bytes() 在 Rails 中使用 attr_encrypted 生成密钥
[英]SecureRandom.hex() vs SecureRandom.random_bytes() for key generation in Rails with attr_encrypted
问题描述
The docs for attr_encrypted say that I must store the results of key = SecureRandom.random_bytes(32) on the model. 
attr_encrypted的文档说我必须将key = SecureRandom.random_bytes(32)的结果存储在 model 上。 I think that it would be more secure to have this key stored as an ENV variable.我认为将此密钥存储为 ENV 变量会更安全。 I am also accustomed to running rake secret for my ENV variables.我也习惯于为我的 ENV 变量运行rake secret 。 rake secret relies on SecureRandom.hex() . rake secret依赖于SecureRandom.hex() 。
I'm wondering two things:我想知道两件事:
- Am I right to assume that the encryption key should be stored as an ENV variable?我是否正确假设应该将加密密钥存储为 ENV 变量?
- Is there any difference in key encryption strength between either of the two SecureRandom methods?两种 SecureRandom 方法之间的密钥加密强度有什么区别吗?
hex()vsrandom_bytes()?hex()与random_bytes()?
1 个解决方案
解决方案1
1 已采纳 2019-09-24 02:26:02
SecureRandom#hex is defined here as: SecureRandom#hex 在这里定义为:
def hex(n=nil)
random_bytes(n).unpack("H*")[0]
end
so the data generated by them is exactly the same, just the format differs.所以它们生成的数据是完全一样的,只是格式不同而已。
As for encryption keys, it's up to you and the way you host your app.至于加密密钥,这取决于您和您托管应用程序的方式。 If it's on a server you control, an uncommitted config file is fine (though environment variable approach still works, obviously).如果它在您控制的服务器上,则未提交的配置文件很好(尽管显然环境变量方法仍然有效)。 If you are hosting on eg Heroku, an environment variable is the way to go.如果您托管在例如 Heroku 上,则环境变量是通往 go 的方式。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.