Non-encrypted Confidential Information
Need
Protect sensitive information from unauthorized access
Context
- Usage of Elixir (version 1.11 and above) for building scalable and concurrent applications
- Usage of File module for file handling
Description
Non compliant code
defmodule MyApp.Data do
def write_to_file(data) do
File.write("/path/to/file", data)
end
end
The below Elixir code writes confidential information into a file without any encryption. This makes it readable for anyone who can gain access to the file.
Steps
- Make use of the :crypto module for encryption purposes.
- Generate a strong encryption key and keep it secure.
- Encrypt sensitive data using the encryption key before storing or transmitting it.
- When retrieving the data, make sure to decrypt it using the same encryption key.
Compliant code
defmodule MyApp.Data do
def write_to_file(data, key) do
{:ok, iv} = :crypto.strong_rand_bytes(16)
{:ok, cipher} = :crypto.block_encrypt(:aes_cbc128, key, iv, data)
encrypted_data = iv <> cipher
File.write("/path/to/file", encrypted_data)
end
end
The below Elixir code uses AES encryption (via the :crypto module) to encrypt the data before writing it to a file. This ensures that even if someone gains access to the file, they can't read the data without the encryption key.