Replies: 5 comments 4 replies
-
Hi @rotemtam,
Since it's an external lib I suggest adding it as an extension. func (Todo) Fields() []ent.Field {
return []ent.Field{
field.Text("text").
NotEmpty().
Annotations(
crypto.Enable(),
crypto.Algorithem("AEAD"),
ctypto.KeyType("AES128_GCM",
),
}
} |
Beta Was this translation helpful? Give feedback.
-
We've been experimenting with approaches to the problem here at @ariga (work done by @yonidavidson). I can share some details on a "Work in Progress" in this field, please don't take it as a final implementation or anything, but perhaps this can be useful to you. This is for the use case where we need symmetric encryption, we define: // Cipher is used to encrypt and decrypt information in a field.
type Cipher struct {
Encrypter
Decrypter
}
// Encrypter is the interface that wraps the Encrypt method.
type Encrypter interface {
Encrypt(string) (string, error)
}
// Decrypter is the interface that wraps the Decrypt method.
type Decrypter interface {
Decrypt(string) (string, error)
} Then we use ent's External Dependencies feature to inject a entc.Dependency(
entc.DependencyName("Cipher"),
entc.DependencyType(&crypto.Cipher{}),
), We have some When we initialize the client we pass the implementation in: tk := newTinkCrypto(keyHandle)
cipher := &crypto.Cipher{Encrypter: tk, Decrypter: tk}
drv := sql.OpenDB(dialect, db)
client := ent.NewClient(
ent.Driver(drv),
ent.Cipher(cipher),
) Next, we use the func encryptPass(next ent.Mutator) ent.Mutator {
return hook.UserFunc(func(ctx context.Context, m *gen.UserMutation) (ent.Value, error) {
if p, ok := info.User.Password(); ok {
e, err := m.Cipher.Encrypt(p)
if err != nil {
return nil, err
}
m.SetPassword(e)
}
return next.Mutate(ctx, m)
})
} So far this guarantees encryption on the write path. Since we don't have anything like interceptors in Ent yet, we place a file such as func (u *User) DecryptedPass() (string, error) {
return u.Cipher.Decrypt(u.Password)
} Then we can invoke this method to get the clear text version of the password where needed. This is far from perfect, but I thought it might be helpful to share this work in progress. |
Beta Was this translation helpful? Give feedback.
-
I writed an exmpale. The encryption and decryption is processed by GoType. Value function use to Encrypt raw value and store ciphertext to database, and Scan function use to Decrypt ciphertext from database to memory. Decryption and encryption provide by tink. Example here: https://github.com/seamory/ent-encrypt-example |
Beta Was this translation helpful? Give feedback.
-
Hi @rotemtam |
Beta Was this translation helpful? Give feedback.
-
Has anyone come up with in the mean-time? We were thinking about using pgsodium. Though that's a very postgres specific approach. Anyway, wanted to ask if there had been developments here. |
Beta Was this translation helpful? Give feedback.
-
Hi All,
Recently at work, I've encountered the need to encrypt the contents of a field in one of my Ent schemas. I worked on a local solution, but I think it would be great to provide something like this as either an extension or a core capability for ent.
In general, the user story goes something like this:
So a few questions to the community:
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions