Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
大事なデータを守りたい!ActiveRecord Encryptionと、より安全かつ検索可能...
Search
free_world21
October 27, 2024
Programming
0
0
大事なデータを守りたい!ActiveRecord Encryptionと、より安全かつ検索可能な暗号化手法の実装例の紹介
Kaigi on Rails Day2にて使用した発表用スライドです。
https://kaigionrails.org/2024/talks/f-world21/
free_world21
October 27, 2024
Tweet
Share
More Decks by free_world21
See All by free_world21
DjangoとRailsを使って趣味として政治資金を透明化するプロダクトを作ってる話
free_world21
0
8
Ruby on Rails on Kubernetesってどうなの?
free_world21
0
0
Ruby on Rails と Django を比較してみる
free_world21
1
120
Shinjuku.rb#95:心の技術書紹介
free_world21
1
180
Rails engineを用いたゆるふわモジュラーモノリス のご紹介
free_world21
1
320
『Railsオワコン』と言われる時代に、なぜブルーモ証券はRailsを選ぶのか
free_world21
3
1k
東証障害報告書を読み解く
free_world21
0
130
Ruby/Railsの勉強会のおかげでブルーモ証券起業した
free_world21
2
400
エンジニアとしての属性軸(自己分析軸?)を考えてみた
free_world21
0
82
Other Decks in Programming
See All in Programming
Scaling your build logic
antalmonori
1
150
Lookerは可視化だけじゃない。UIコンポーネントもあるんだ!
ymd65536
1
140
Fibonacci Function Gallery - Part 2
philipschwarz
PRO
0
230
React 19でお手軽にCSS-in-JSを自作する
yukukotani
5
600
チームの立て直し施策をGoogleの 『効果的なチーム』と見比べてみた
maroon8021
0
270
バックエンドのためのアプリ内課金入門 (サブスク編)
qnighy
7
1.5k
GitHub CopilotでTypeScriptの コード生成するワザップ
starfish719
28
6.1k
Package Traits
ikesyo
2
230
オニオンアーキテクチャを使って、 Unityと.NETでコードを共有する
soi013
0
390
PicoRubyと暮らす、シェアハウスハック
ryosk7
0
250
rails newと同時に型を書く
aki19035vc
6
750
はてなにおけるfujiwara-wareの活用やecspressoのCI/CD構成 / Fujiwara Tech Conference 2025
cohalz
3
3.2k
Featured
See All Featured
A designer walks into a library…
pauljervisheath
205
24k
The Illustrated Children's Guide to Kubernetes
chrisshort
48
49k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Visualization
eitanlees
146
15k
Product Roadmaps are Hard
iamctodd
PRO
50
11k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.3k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
11
900
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
1.3k
Building Applications with DynamoDB
mza
93
6.2k
We Have a Design System, Now What?
morganepeng
51
7.4k
Measuring & Analyzing Core Web Vitals
bluesmoon
6
220
Art, The Web, and Tiny UX
lynnandtonic
298
20k
Transcript
ブルーモ証券株式会社 ©2024 Bloomo Securities Inc. େࣄͳσʔλΛकΓ͍ͨʂ "DUJWF3FDPSE&ODSZQUJPOͱɺ ΑΓ҆શ͔ͭݕࡧՄೳͳ ҉߸Խख๏ͷ࣮ྫͷհ ,BJHJPO3BJMT%BZ!)BMM#MVF
খྛޛ࢙ OPFM 4BU
©2024 Bloomo Securities Inc. • খྛޛ࢙ʢখྛϊΤϧʣ • ϒϧʔϞূ݊גࣜձࣾऔక$50 • 0NPUFTBOEPSC
3PQQPOHJSC 4IJOKVLVSCͱ͔ʹΑ͍͘· ͢ • ཱྀߦɾੈքͷίϫʔΩϯάεϖʔεΊ͙Γʢϫʔέʔγϣϯ తͳԿ͔ʣ͕͖ • झຯͰʲ࣏ࢿۚσʔλϕʔεʳΛ։ൃͯ͠·͢ ͖ͳόϯυ • -`"SDdFOd$JFM 1*&3305 THE FARM@NY CARR WORKPLACE@Chicago @free_world21
©2024 Bloomo Securities Inc. *OEFY ձࣾհˍഎܠհ ͦͦ҉߸Խͱʁ "DUJWF3FDPSE&ODSZQUJPOͷհ "DUJWF3FDPSE&ODSZQUJPOͰ࣮ݱͮ͠Β͍ཁ݅ͷྫ ֤छ҉߸Խख๏͝հ
attr_encryptedΛ࣮ͬͨྫ ҉߸Խͭͭ͠ݕࡧՄೳʹ͢Δํ๏ͷհ ·ͱΊ • ͞ͳ͍͜ͱɿ҉߸ԽΞϧΰϦζϜͱ͔ൿີܭࢉɾݕࡧͱ͔ • ରऀɿ։ൃ͍ͯ͠Δ3BJMTΞϓϦͷσʔλ҉߸Խʹڵຯ͕͋Δਓ • తɿ"DUJWF3FDPSE&ODSZQUJPO BUUS@FODSZQUFE MPDLCPYͷ֓ཁͱ͔͍ͭͲ͜ΖΛཧղ͢Δ͜ͱ • ൃදࢿྉޙ΄Ͳެ։͠·͢
©2024 Bloomo Securities Inc. ձࣾհˍഎܠհrϓϩμΫτ ถࠃגࢿ࢈ӡ༻ΞϓϦ#MPPNPΛఏڙதʂ ίϐϖͰʮόϑΣοτࢿʯεϚϗ݁Ͱएऀؾܰʹ :065)'*/"/$&ᶃ
©2024 Bloomo Securities Inc. ձࣾհˍഎܠհrϓϩμΫτػೳ ϙʔτϑΥϦΦػೳͰɺߴͳࢿ࢈ӡ༻ͷϋʔυϧΛԼ͍͛ͯΔ ϙʔτϑΥϦΦࢿػೳ ڞ༗ɾίϐʔػೳ ถࠃגɾ&5'ͰཧͷϙʔτϑΥϦΦΛ࡞ͨ͠Βɺ ྆ସങϒϧʔϞ͕ࣗಈࣥߦͯ͘͠ΕΔɻ
ෳฑͷࢄࢿ͕खؒͳ࣮͘ݱͰ͖Δ ʢϢʔβʔͷอ༗ฑҎ্ʢຊฏۉͷഒఔʣʣ ॳ৺ऀͰϙʔτϑΥϦΦ࡞͕Մೳʹ ʢϢʔβʔͷׂҎ্͕ίϐʔ͔Β։࢝ʣ ઐՈଞͷϢʔβʔͷϙʔτϑΥϦΦΛݟͯɺ ϫϯλοϓͰίϐʔͰ͖Δɻ
©2024 Bloomo Securities Inc. ձࣾհˍഎܠհrۀ͔Β͜Ε·ͰͷาΈ ݄ ݄
݄ ݄ ݄ ݄ ۀ ূ݊ձࣾ ϥΠηϯεऔಘ ਖ਼ࣜϦϦʔε ʢҰൠެ։ʣ γʔυϥϯυ ԯԁௐୡ ট੍ϦϦʔε /*4"ޱ࠲ ఏڙ։࢝ ͿΓͷূ݊ձࣾελʔτΞοϓͱ্ཱ͕ͯͪͬͨ͠ 個別株を取扱う証券会社スタートアップとしては、Finatext・FOLIO以来の存在。史上最速ペースで⾦商1種(証券会社) ライセンス取得・プロダクトリリースを続けてきた。
©2024 Bloomo Securities Inc. ձࣾհˍഎܠհrۀ͔Β͜Ε·ͰͷาΈ ݄ ݄
݄ ݄ ݄ ݄ ۀ ূ݊ձࣾ ϥΠηϯεऔಘ ਖ਼ࣜϦϦʔε ʢҰൠެ։ʣ γʔυϥϯυ ԯԁௐୡ ট੍ϦϦʔε /*4"ޱ࠲ ఏڙ։࢝ ͿΓͷূ݊ձࣾελʔτΞοϓͱ্ཱ͕ͯͪͬͨ͠ 個別株を取扱う証券会社スタートアップとしては、Finatext・FOLIO以来の存在。史上最速ペースで⾦商1種(証券会社) ライセンス取得・プロダクトリリースを続けてきた。 ূ݊ձࣾͱͯ͠ͷ rails new .
©2024 Bloomo Securities Inc. ձࣾհˍഎܠհrۀ͔Β͜Ε·ͰͷาΈ ݄ ݄
݄ ݄ ݄ ݄ ۀ ূ݊ձࣾ ϥΠηϯεऔಘ ਖ਼ࣜϦϦʔε ʢҰൠެ։ʣ γʔυϥϯυ ԯԁௐୡ ট੍ϦϦʔε /*4"ޱ࠲ ఏڙ։࢝ ͿΓͷূ݊ձࣾελʔτΞοϓͱ্ཱ͕ͯͪͬͨ͠ 個別株を取扱う証券会社スタートアップとしては、Finatext・FOLIO以来の存在。史上最速ペースで⾦商1種(証券会社) ライセンス取得・プロダクトリリースを続けてきた。 ূ݊ձࣾͱͯ͠ͷ rails new .
©2024 Bloomo Securities Inc. ձࣾհˍഎܠհrূ݊γεςϜΛ࡞Δ͏͑Ͱ • Կ͔גΛങ͏ͨΊʹূ݊ձࣾͷޱ࠲Λͭ͘Βͳ͚Ε͍͚ͳ͍ • ূ݊ձࣾʢͷγεςϜʣΛ࡞ΔͨΊʹ༷ʑͳཁ݅ʢ๏ͳͲʣΛकΒͳ͚Ε͍͚ͳ͍ •
ηΩϡϦςΟʔपΓʹΑΓؾΛ͏ඞཁ͕͋Δ • αΠόʔ߈ܸͳͲΛؚΉɺใηΩϡϦςΟʹؔ͢ΔڴҖ͕ͷ͍͍͢͝Ͱڧ·͍ͬͯΔ – ૬͙࣍ݸਓใྲྀग़ – ϥϯαϜΣΞʹΑΔඃʢχίχίಈըʣ ͓٬༷ʢ͏ଆʣઢ ΤϯδχΞʢ࡞Δଆʣઢ
©2024 Bloomo Securities Inc. ͦͦ҉߸Խͱʁ҉߸ԽͱϋογϡԽ “小林ノエル” “m6mlF70S3Qoqt86hyUJzWxhwW6JYgyXgBPPJHrhvVAGQ” “$2a$10$aBy67z2lE8O/OO/Xfnr7ZO6sQCP948cWDM/9Mi fMGR5472nkfqGUW” “小林ノエル”
҉߸Խ ϋογϡԽ • σʔλΛಛఆͷ҉߸ݤΛͬͯม͠ɺਖ਼͍͠ݤ͕ͳ͍ͱݩʹͤͳ͍Α͏ʹ͢Δॲཧ • σʔλͷػີੑΛอޢ͢ΔͨΊʹΘΕΔ • σʔλΛҰํͷݻఆͷʹม͢Δ͜ͱͰɺݩͷσʔλʹͤͳ͍Α͏ʹ͢Δॲཧ • ओʹσʔλͷ߹ੑΛ֬ೝ͢ΔͨΊʹΘΕΔ 🔑 ฏจ ҉߸จ ݩσʔλ ϋογϡ
©2024 Bloomo Securities Inc. ͦͦ҉߸Խͱʁͳͥ҉߸Խ͢Δͷ͔ • ೖޱରࡦɾ෦ରࡦɾग़ޱରࡦͷ͏ͪɺ෦ରࡦͷ͏ͪͷͭ – ೖޱରࡦ •
ϑΝΠΞΥʔϧɾϑΟϧλʔ • ଟཁૉೝূɺ71/ͳͲ – ෦ରࡦ • σʔλ҉߸Խ • ϩάࢹ – ग़ޱରࡦ • ௨৴Ͱ͖Δܦ࿏ΛߜΔ • ֎෦σόΠεͷσʔλॻ͖ࠐΈ੍ݶ • Կ͔σʔλ͕ྲྀग़ͨ͠ͱ͖ͷඃΛ͑ΔͨΊͷख๏
©2024 Bloomo Securities Inc. ͦͦ҉߸Խͱr҉߸ԽΛ͢Δࡍʹߟྀ͖͢ϙΠϯτ • ҉߸ԽͷΞϧΰϦζϜ – %&4 "&4
34" &$$ ʜ – ΄ͱΜͲͷ߹ϑϨʔϜϫʔΫϥΠϒϥϦͷσϑΥϧτʢਪʣͷͷΛ͑0, • ຊͷ͓ͷείʔϓ֎ • ݤͷཧํ – ҉߸ݤΛͲ͜ʹ͓͍ͯ୭͕ཧ͢Δͷ͔ʁ • ҉߸Խͷ୯Ґ – ͲͷΑ͏ͳ୯ҐͰ҉߸Խ͢Δ͔ • ΞϓϦέʔγϣϯͯ͢ΛͭͷݤͰҰׅ҉߸Խ • ͋Δఔ·ͱ·ͬͨ୯Ґʢςʔϒϧ͝ͱͱ͔ʣͰ҉߸ݤΛΘ͚Δ • Ϩίʔυ͝ͱʹ҉߸ݤΛΘ͚Δ • ݕࡧੑೳ – ҉߸Խͨ͠σʔλΛ%#ʹೖΕΔͱଟ͘ͷ߹Ͱݕࡧ͕Ͱ͖ͳ͘ͳΔ – ඞཁʹԠͯ͡ΞϓϦέʔγϣϯϨΠϠͰݕࡧػೳΛ࣮͢Δඞཁ͕͋Δ ݤͷཧํ ҉߸Խͷ୯Ґ ݕࡧੑೳ
©2024 Bloomo Securities Inc. "DUJWF3FDPSE&ODSZQUJPOͷհr֓ཁͱ؆୯ͳ͍ํͷ͝հ • 3BJMT "DUJWF3FDPSE ʹΈࠐ·Ε͍ͯΔ҉߸Խػߏ
– %#ʹอଘ͢Δͱ͖ʹ҉߸Խ͞Εͯอଘ͞ΕΔ – ΞϓϦέʔγϣϯɿฏจͱͯ͠ѻ͑Δɺ%#ɿ҉߸จͱͯ͠อଘ͞ΕΔ $ rails db:encryption:init Add this entry to the credentials of the target environment: active_record_encryption: primary_key: azc7QkZYSg9ll01TjBNpnURUnF42gt1s deterministic_key: U987a4KAnhfA5oAQrLY7pYaTqysIYqqE key_derivation_salt: puoi8lJbvyM4FQErFYJ26BFuE1OJLHtf secret_key_base: hogehogefugafuga…… active_record_encryption: primary_key: azc7QkZYSg9ll01TjBNpnURUnF42gt1s deterministic_key: U987a4KAnhfA5oAQrLY7pYaTqysIYqqE key_derivation_salt: puoi8lJbvyM4FQErFYJ26BFuE1OJLHtf config/credentials.yml.enc にそのままコピペ
©2024 Bloomo Securities Inc. "DUJWF3FDPSE&ODSZQUJPOͷհr֓ཁͱ؆୯ͳ͍ํͷ͝հ • 3BJMT "DUJWF3FDPSE ʹΈࠐ·Ε͍ͯΔ҉߸Խػߏ
– %#ʹอଘ͢Δͱ͖ʹ҉߸Խ͞Εͯอଘ͞ΕΔ – ΞϓϦέʔγϣϯɿฏจͱͯ͠ѻ͑Δɺ%#ɿ҉߸จͱͯ͠อଘ͞ΕΔ class PersonalInfo < ApplicationRecord encrypts :first_name encrypts :last_name end
©2024 Bloomo Securities Inc. "DUJWF3FDPSE&ODSZQUJPOͷհr֓ཁͱ؆୯ͳ͍ํͷ͝հ • ҉߸ݤଐੑ͝ͱʹจࣈྻΧελϜΩʔϓϩόΠμΛࢦఆՄೳ class PersonalInfo
< ApplicationRecord encrypts :first_name, key: "some secret key for personal_info" encrypts :last_name, key_provider: PersonalInfoKeyProvider.new end • ܾఆత҉߸ԽΛ͑ݕࡧՄೳ class PersonalInfo < ApplicationRecord encrypts :first_name, deterministic: true encrypts :last_name, deterministic: true end
©2024 Bloomo Securities Inc. "DUJWF3FDPSE&ODSZQUJPOͷհrʲ҉߸ԽΛ͢Δࡍʹߟྀ͖͢ϙΠϯτʳʹরΒ͠߹ΘͤΔͱ • ݤͷཧํ – config/credentials.yml.enc ʹهࡌ
– ΧελϜΩʔϓϩόΠμΛ͑ϓϩάϥϜతʹऔಘՄೳʢྫɿ,.4 4FDSFU.BOBHFS ʣ • ҉߸Խͷ୯Ґ – σϑΥϧτͰ୯ҰͷݤͰͯ͢ͷରσʔλΛ҉߸Խ – ΧελϜΩʔϓϩόΠμΛ͑ɺΫϥεʢςʔϒϧʣ͝ͱʹ͚Δ͜ͱՄೳ • ݕࡧੑೳ – σϑΥϧτͰඇܾఆత҉߸ԽʢݕࡧෆՄೳʣ – ܾఆత҉߸ԽϞʔυʹ͢ΕݕࡧՄೳ ݤͷཧํ ҉߸Խͷ୯Ґ ݕࡧੑೳ
©2024 Bloomo Securities Inc. "DUJWF3FDPSE&ODSZQUJPOͰ࣮ݱͮ͠Β͍ཁ݅rۚ༥ػؔΛྫʹ • ݤͷཧํ – ਓ͕ؒཧͨ͘͠ͳ͍ –
ʢ͜͜"DUJWF3FDPSE&ODSZQUJPOͰ࣮ݱͰ͖Δʣ • ҉߸Խͷ୯Ґ – ձࣾͦͷͷͷੑ࣭ˍѻ͏σʔλͷॏཁੑ͔ΒɺϨίʔυ͝ͱʹҟͳΔ҉߸ݤΛ͍͍ͨ • ݸਓใ • ϚΠφϯόʔʢҰ࣌తʣ • ຊਓ֬ೝॻྨը૾ʢ໔ڐূͳͲʣ • ʢΫϨδοτΧʔυ൪߸ʣ • ݕࡧੑೳ – ͓٬༷͔Βͷ͍߹Θ͕ͤ͋ͬͨͱ͖ʹɺຊਓ֬ೝͷͨΊʹҰఆ߲Ͱͷݕࡧඞཁ • ໊લͱੜ݄ • ॅॴ ݤͷཧํ ҉߸Խͷ୯Ґ ݕࡧੑೳ
©2024 Bloomo Securities Inc. ֤छ҉߸Խख๏͝հrattr_encryptedͱlockbox • 3BJMT✕҉߸ԽͰҰ൪ྺ࢙͕ݹ͍ – "DUJWF3FDPSE&ODSZQUJPOҎલ͔Β͋Δ –
'JSTUSFMFBTF • ଟ͘ͷࢀߟจݙ͕͋Δ • খྛ͕ࣗੲ͔Βͬͯͨܦݧ͕͋Δ • attr_encrypted ͷݱ൛తͳҐஔ͚ͮ • ͍ํ"DUJWF3FDPSE&ODSZQUJPOattr_encryptedͱ͍͍ͩͨಉ͡ • "DUJWF3FDPSE&ODSZQUJPOΑΓগ͚ͩ͠લʹॳظϦϦʔε – "DUJWF3FDPSE&ODSZQUJPO 3BJMT – lockboxGJSTUSFMFBTF attr_enctypted lockbox
©2024 Bloomo Securities Inc. attr_encryptedΛ࣮ͬͨྫr҉߸ݤͷཧํͷΦϓγϣϯ ڥมʹฏจͷ҉߸ݤΛஔ͘ – Ұ൪γϯϓϧͰ؆୯͕ͩ੬ऑ
4FDSFU.BOBHFSͳͲΞϓϦέʔγϣϯαʔόͷ֎ʹฏจͷ҉߸ݤΛஔ͘ – 👆ΑΓ҆શ͕ͩґવͱͯ͠ਓ͕ؒཧ͢Δඞཁ͕͋Δ 3BJMTͷ&ODZQUFE$SFEFOUJBMTΛ͏ – credentials.yml.encΛෳ߹͢Δݤʢmaster.keyʣΛͲ͏͢Δ͔ͱ͍͏ݦࡏ – ͬͺΓਓ͕ؒཧ͢Δඞཁ͕͋Δ ,FZ.BOBHFNFOU4FSJWDFΛ͔ͭ͏ – "84 ($1 "[VSFͳͲɺΫϥυϓϩόΠμͳΒجຊతʹఏڙͯ͠Δ
©2024 Bloomo Securities Inc. attr_encryptedΛ࣮ͬͨྫr,FZ.BOBHFNFOU4FSWJDFͱʢ"84Λྫʹʣ • $VTUPNFS.BTUFS,FZʢ$.,ʣΛࢦఆͯ͠ɺEBUBLFZʢ৽͍͠҉߸ݤʣΛཁٻ͢Δ – "
• ҎԼͷͷ͕,.4͔Βฦͬͯ͘Δ – "ฏจͷ҉߸ݤ – #"͕҉߸Խ͞Εͨͷ • ҉߸Խɿ"Ͱ҉߸Խͯ͠ɺͦΕফڈɻ#Λ%#ͳͲʹอଘ͓ͯ͘͠ɻ • ෮߸Խɿ#Λ,.4ʹ͚͛ͭΔͱ෮߸Խͯ͠ฦͯ͘͠ΕΔʢ"ΛಘΒΕΔʣͷͰɺσʔλຊମ Λ"Ͱ෮߸Խ͢Δ CMK has_many :data_keys
©2024 Bloomo Securities Inc. attr_encryptedΛ࣮ͬͨྫr,.4ΛͬͨϨίʔυ͝ͱͷ҉߸Խ࣮ྫ ,.4͔Βऔಘͨ͠ʲ҉߸Խ͞Εͨ҉߸ݤ #
ʳΛอଘ͢ΔͨΊͷΧϥϜ encrypted_data_keyΛ҉߸ԽରΫϥεʢςʔϒϧʣʹՃ ԼهͷΑ͏ͳϝιουΛͭmoduleΛఆٛ module KmsKey def data_key kms_client = Aws::KMS::Client.new(region: aws_region) if self.encrypted_data_key kms_client.decrypt(ciphertext_blob: self.encrypted_data_key) else resp = kms_client.generate_data_key( key_id: Rails.application.config.x.common['kms_cmk_id’], key_spec: 'AES_256’, ) self.encrypted_data_key = resp.ciphertext_blob resp.plaintext end end
©2024 Bloomo Securities Inc. attr_encryptedΛ࣮ͬͨྫr,.4ΛͬͨϨίʔυ͝ͱͷ҉߸Խ࣮ྫ ҉߸ԽରϑΟʔϧυΛఆٛ class
PersonalInfo < ApplicationRecord include KmsKey attr_encrypted :first_name, key: :data_key, algorithm: 'aes-256-gcm’ attr_encrypted :last_name, key: :data_key, algorithm: 'aes-256-gcm'
©2024 Bloomo Securities Inc. attr_encryptedΛ࣮ͬͨྫr,.4ΛͬͨϨίʔυ͝ͱͷ҉߸Խ࣮ྫ Ϩίʔυ͝ͱʹ҉߸ݤΛม͑ͭͭɺಁաతʹѻ͑ΔΑ͏ʹͳΔ personal_info.first_name
= ”ϊΤϧ” personal_info.last_name = “খྛ” personal_info.save! personal_info = PersonalInfo.find(1) puts personal_info.first_name # => “ϊΤϧ” puts personal_info.last_name # => “খྛ”
©2024 Bloomo Securities Inc. attr_encryptedΛ࣮ͬͨྫrΞοϓϩʔυը૾ͷ҉߸Խ class IdDocumentImage < ApplicationRecord
include KmsKey mount_uploader :uploader, IdDocumentImageUploader before_save :encrypt_file! def encrypt_file! iv = Cipher.generate_iv self.uploader_iv = Base64.strict_encode64(iv) cipher = Cipher.new(key: data_key, cipher_iv: iv) resp = cipher.encrypt(value: uploader.file.read) File.binwrite(uploader.file.path, resp) end • DBSSJFSXBWFΛྫʹ͝հ • Ϩίʔυ͝ͱʹ҉߸ݤΛม͑ͭͭɺΞοϓϩʔυը૾ͦͷͷ҉߸Խͯ͠อଘ
©2024 Bloomo Securities Inc. ҉߸Խͭͭ͠ݕࡧՄೳʹ͢Δํ๏ͷհr҉߸Խͭͭ͠ݕࡧՄೳʹ͢ΔΦϓγϣϯ ܾఆత҉߸ԽΛ͏ – "DUJWF3FDPSE&ODSZQUJPO͕࠾༻͍ͯ͠Δํ –
ಉ͡҉߸ԽݤͰ҉߸Խ͍ͯ͠Δσʔλ܊ʹରͯ͠Մೳͳख๏ &MBTUJD4FBSDIͳͲͷݕࡧϞδϡʔϧΛ༻ҙ͠ɺͦ͜ʹฏจͷσʔλΛ֨ೲ͢Δ – &MBTUJD4FBSDIΞϓϦέʔγϣϯαʔό͔ΒͷΈΞΫηεՄೳͰɺܦ࿏ྖҬ҆શͱ ͍͏લఏ ݕࡧ࣌ΞϓϦέʔγϣϯαʔόͰҰׅෳ߹ͯ͠ɺίʔυ্Ͱݕࡧ͢Δ – PersonalInfo.all.eachΈ͍ͨʹ͢ΔΠϝʔδ ݕࡧ༻ʹରϑΟʔϧυʢࢯ໊ɺॅॴͳͲʣͷϋογϡΛผςʔϒϧʹอଘ͢Δ – શҰகͷݕࡧͷΈՄೳ
©2024 Bloomo Securities Inc. ҉߸Խͭͭ͠ݕࡧՄೳʹ͢Δํ๏ͷհr҉߸ԽରσʔλΛอଘͭͭ͠ݕࡧ༻)BTIΛ࡞͢Δྫ class PersonalInfoHash < ApplicationRecord
belongs_to :personal_info end class PersonalInfo < ApplicationRecord include KmsKey …… has_many :personal_info_hashes • PersonalInfoHashϞσϧʢςʔϒϧʣΛఆٛ – key: string – value: string
©2024 Bloomo Securities Inc. ҉߸Խͭͭ͠ݕࡧՄೳʹ͢Δํ๏ͷհr҉߸ԽରσʔλΛอଘͭͭ͠ݕࡧ༻)BTIΛ࡞͢Δྫ class PersonalInfo < ApplicationRecord
after_save :save_hashes def save_hashes save_name_hash save_tel_hash ... end def save_name_hash raw_value = last_name + first_name pi_hash = personal_info_hashes.find_or_initialize_by(key: 'last_name_and_first_name’) pi_hash.value = BCrypt::Engine.hash_secret(raw_value, ENV['HASH_SALT’]) pi_hash.save! end • after_save ͱ͔ͰPersonalInfo ͷϨίʔυͱҰॹʹ࡞Δ • ҉߸ֶత)BTIؔͱΓ͋͑ͣBcrypt͓͚ͬͯྑͦ͞͏
©2024 Bloomo Securities Inc. ҉߸Խͭͭ͠ݕࡧՄೳʹ͢Δํ๏ͷհr҉߸ԽରσʔλΛอଘͭͭ͠ݕࡧ༻)BTIΛ࡞͢Δྫ hash_value = BCrypt::Engine.hash_secret(searching_value, ENV['HASH_SALT’])
personal_infos = PersonalInfoHash .where(key: 'last_name_and_first_name', hash_value: hash_value) .map(&:personal_info) • ݕࡧ͢Δͱ͖ݕࡧϫʔυͷϋογϡΛܭࢉͯ͠ݕࡧ
©2024 Bloomo Securities Inc. ·ͱΊ Ұׅ҉߸Խ ςʔϒϧ͝ͱʹ҉߸Խ Ϩίʔυ͝ͱʹ҉߸Խ ڥม 4FDSFU.BOBHFS
DSFEFOUJMBTZNMFOD ,.4 ܾఆత҉߸ԽʹΑΔݕࡧ &MBTUJD4FBSDI ۪ݕࡧ ϋογϡԽʹΑΔݕࡧ "DUJWF3FDPSE&ODSZQUJPO attr_encrypted lockbox ॳظϦϦʔε 3BJMT ఏڙݩ CVJMUJO HFN HFN σϑΥϧτͷ͍ํ ΧελϚΠζ͢ΕͰ͖Δ • ࠓճ͝հͨ͠ํ๏Λಛੑ͝ͱʹ·ͱΊ·͢ ҉߸Խͷ ୯Ґ ҉߸ݤͷ ཧ ݕࡧख๏
©2024 Bloomo Securities Inc. ·ͱΊr"DUJWF3FDPSE&ODSZQUJPO Ұׅ҉߸Խ ςʔϒϧ͝ͱʹ҉߸Խ Ϩίʔυ͝ͱʹ҉߸Խ ڥม 4FDSFU.BOBHFS
DSFEFOUJMBTZNMFOD ,.4 ܾఆత҉߸ԽʹΑΔݕࡧ &MBTUJD4FBSDI ۪ݕࡧ ϋογϡԽʹΑΔݕࡧ "DUJWF3FDPSE&ODSZQUJPO attr_encrypted lockbox ॳظϦϦʔε 3BJMT ఏڙݩ CVJMUJO HFN HFN σϑΥϧτͷ͍ํ ΧελϚΠζ͢ΕͰ͖Δ • େͷཁ݅ຬͨͤΔ • ಋೖͷෑډ͍ – config.active_record.encryption.support_unencrypted_data = true ҉߸Խͷ ୯Ґ ҉߸ݤͷ ཧ ݕࡧख๏
©2024 Bloomo Securities Inc. ·ͱΊrBUUS@FODSZQUFEMPDLCPY Ұׅ҉߸Խ ςʔϒϧ͝ͱʹ҉߸Խ Ϩίʔυ͝ͱʹ҉߸Խ ܾఆత҉߸ԽʹΑΔݕࡧ &MBTUJD4FBSDI
۪ݕࡧ ϋογϡԽʹΑΔݕࡧ "DUJWF3FDPSE&ODSZQUJPO attr_encrypted lockbox ॳظϦϦʔε 3BJMT ఏڙݩ CVJMUJO HFN HFN σϑΥϧτͷ͍ํ ΧελϚΠζ͢ΕͰ͖Δ • "DUJWF3FDPSE&ODSZQUJPOͰཁ͕݅ຬͨͤͳ͍߹ʢϨίʔυ͝ͱ҉߸ԽͳͲʣʹݕ౼ • ,.4ར༻ kms_encrypted ɺϋογϡԽݕࡧ blind_index ผͷgem͕͋Δ • ৽نҊ݅ͳΒlockboxɺطଘίʔυΛ͍·Θ͍ͨ͠߹attr_encrypted ҉߸Խͷ ୯Ґ ҉߸ݤͷ ཧ ݕࡧख๏ ڥม 4FDSFU.BOBHFS DSFEFOUJMBTZNMFOD ,.4
©2024 Bloomo Securities Inc. Ұॹʹ#MPPNPͷαʔϏε։ൃΛ ͯ͘͠ΕΔؒΛืूதʂ https://careers.bloomo.co.jp/ 8FBSF)JSJOH