vets-api database attributes are encrypted via a combination of the Lockbox gem and AWS KMS.
Database attributes were previously encrypted via the attr_encrypted gem, but we've since migrated away due to regular maintenance of the the Lockbox gem. Lockbox is additionally more favorable because it has a cleaner schema and built in key rotation, whereas attr_encrypted did not. Encryption keys are rotated on a monthly basis.
Lockbox performs the encryption/decryption, while KMS provides the secure key store.
We have successfully migrated from attr_encrypted to lockbox and KMS. All existing attributes were successfully migrated by the console services team.
How to add new encrypted attributes
Important: Any new encrypted attributes will need to use the Lockbox gem.
encrypts :my_attribute, **lockbox_options
If your attribute needs to be serialized, include the serialize syntax:
serialize :my_attribute, JsonMarshal::Marshaller
JsonMarshal::Marshaller is a popular attribute serialization option used widely in vets-api
Encryption for non-ActiveRecord attributes
KMS has the option to encrypt strings that are not attributes related to an ActiveRecord Model.
See the Outside Models in the kms_encrypted gem documentation.
Additionally, see this existing example in vets-api which is used to encrypt Sidekiq arguments.
kms = KmsEncrypted::Box.new