cloak_ecto v1.0.0-alpha.0 Cloak.Ecto.SHA256 View Source

An Ecto.Type which hashes the field value using the SHA256 algorithm.


If you store a hash of a field’s value, you can then query on it as a proxy for the encrypted field. This works because SHA256 is deterministic and always results in the same value, while secure encryption does not. Be warned, however, that hashing will expose which fields have the same value, because they will contain the same hash.


For a more secure hashing method, see one of the following alternatives:


Create the hash field with the type :binary. Add it to your schema definition like this:

schema "table" do
  field :field_name, MyApp.Encrypted.Binary
  field :field_name_hash, Cloak.Ecto.SHA256

Ensure that the hash is updated whenever the target field changes with the put_change/3 function:

def changeset(struct, attrs \\ %{}) do
  |> cast(attrs, [:field_name, :field_name_hash])
  |> put_change(:field_name_hash, get_field(changeset, :field_name))

Query the Repo using the :field_name_hash in any place you would typically query by :field_name.

user = Repo.get_by(User, email_hash: "")