cloak_ecto v1.0.0-alpha.0 Cloak.Ecto.SHA256 View Source

An Ecto.Type which hashes the field value using the SHA256 algorithm.

Why

If you store a hash of a field’s value, you can then query on it as a proxy for the encrypted field. This works because SHA256 is deterministic and always results in the same value, while secure encryption does not. Be warned, however, that hashing will expose which fields have the same value, because they will contain the same hash.

Security

For a more secure hashing method, see one of the following alternatives:

Usage

Create the hash field with the type :binary. Add it to your schema definition like this:

schema "table" do
  field :field_name, MyApp.Encrypted.Binary
  field :field_name_hash, Cloak.Ecto.SHA256
end

Ensure that the hash is updated whenever the target field changes with the put_change/3 function:

def changeset(struct, attrs \\ %{}) do
  struct
  |> cast(attrs, [:field_name, :field_name_hash])
  |> put_change(:field_name_hash, get_field(changeset, :field_name))
end

Query the Repo using the :field_name_hash in any place you would typically query by :field_name.

user = Repo.get_by(User, email_hash: "user@email.com")