Non-encrypted Confidential Information

Need

Protect sensitive information from unauthorized access

Context

• Usage of Elixir (version 1.11 and above) for building scalable and concurrent applications

• Usage of File module for file handling

Description

1. Non compliant code

defmodule MyApp.Data do
 def write_to_file(data) do
 File.write("/path/to/file", data)
 end
end

The below Elixir code writes confidential information into a file without any encryption. This makes it readable for anyone who can gain access to the file.

2. Steps

• Make use of the :crypto module for encryption purposes.

• Generate a strong encryption key and keep it secure.

• Encrypt sensitive data using the encryption key before storing or transmitting it.

• When retrieving the data, make sure to decrypt it using the same encryption key.

3. Secure code example

defmodule MyApp.Data do
 def write_to_file(data, key) do
 {:ok, iv} = :crypto.strong_rand_bytes(16)
 {:ok, cipher} = :crypto.block_encrypt(:aes_cbc128, key, iv, data)
 encrypted_data = iv <> cipher
 File.write("/path/to/file", encrypted_data)
 end
end

The below Elixir code uses AES encryption (via the :crypto module) to encrypt the data before writing it to a file. This ensures that even if someone gains access to the file, they can't read the data without the encryption key.

References

• 020. Non-encrypted Confidential Information

On this page