Non-encrypted Confidential Information - Elixir

Need

Protect sensitive information from unauthorized access

Context

1. Usage of Elixir (version 1.11 and above) for building scalable and concurrent applications
2. Usage of File module for file handling

Description

Insecure Code Example

defmodule MyApp.Data do
 def write_to_file(data) do
 File.write("/path/to/file", data)
 end
end

The below Elixir code writes confidential information into a file without any encryption. This makes it readable for anyone who can gain access to the file.

Steps

1. Make use of the :crypto module for encryption purposes.
2. Generate a strong encryption key and keep it secure.
3. Encrypt sensitive data using the encryption key before storing or transmitting it.
4. When retrieving the data, make sure to decrypt it using the same encryption key.

Secure Code Example

defmodule MyApp.Data do
 def write_to_file(data, key) do
 {:ok, iv} = :crypto.strong_rand_bytes(16)
 {:ok, cipher} = :crypto.block_encrypt(:aes_cbc128, key, iv, data)
 encrypted_data = iv <> cipher
 File.write("/path/to/file", encrypted_data)
 end
end

The below Elixir code uses AES encryption (via the :crypto module) to encrypt the data before writing it to a file. This ensures that even if someone gains access to the file, they can't read the data without the encryption key.

References

Last updated

2023/09/18