vets-api database attributes are encrypted via a combination of the Lockbox gem and AWS KMS.

Database attributes were previously encrypted via the attr_encrypted gem, but we've since migrated away due to regular maintenance of the the Lockbox gem. Lockbox is additionally more favorable because it has a cleaner schema and built in key rotation, whereas attr_encrypted did not. Encryption keys are rotated on a monthly basis.

Lockbox performs the encryption/decryption, while KMS provides the secure key store.

Current State

We have successfully migrated from attr_encrypted to lockbox and KMS. All existing attributes were successfully migrated by the console services team.

How to add new encrypted attributes

Important: Any new encrypted attributes will need to use the Lockbox gem.


encrypts :my_attribute, **lockbox_options

If your attribute needs to be serialized, include the serialize syntax:

serialize :my_attribute, JsonMarshal::Marshaller

The JsonMarshal::Marshaller is a popular attribute serialization option used widely in vets-api

Encryption for non-ActiveRecord attributes

KMS has the option to encrypt strings that are not attributes related to an ActiveRecord Model.

See the Outside Models in the kms_encrypted gem documentation.

Additionally, see this existing example in vets-api which is used to encrypt Sidekiq arguments.

kms =