G-Research · suprjinx · Nov 4, 2024 · Sep 6, 2024 · Sep 13, 2024 · Sep 17, 2024
diff --git a/README.md b/README.md
@@ -71,6 +71,30 @@ UPPER_CASE). Environment vars will override any values in the config
 file.  Per-environment settings in the config file(development, test,
 production) will override the shared values for that type.
 
+## Database encryption
+The local database can be encrypted, if needed, but requires a bit of setup
+and careful retention of a master key. Note that there are performance impacts.
+
+1. First, create encryption keys for the database:
+```
+rails db:encryption:init
+```
+Copy the output to your clipboard.
+
+2. Next, create a `credentials.yml.enc` file:
+```
+EDITOR=vi rails credentials:edit
+```
+Paste the db encryption key data into this file, save, and exit.
+
+NB, the credentials file is decoded by a key placed in
+`config/master.key`. Be sure to save this file (it is .gitignored)!
+
+3. Finally, set the following Astral configuration to 'true':
+```
+   db_encryption: true
+```
+
 ## mTLS connections
 Astral can be run as an SSL service and can communicate with Vault via SSL.
 Just set the following values in `config/astral.yml` (or environment) to 

diff --git a/app/models/domain.rb b/app/models/domain.rb
@@ -1,6 +1,11 @@
 class Domain < ApplicationRecord
   validates :fqdn, presence: true
 
+  if Config[:db_encryption]
+    encrypts :fqdn, :users, :groups
+  end
+
+
   def groups_array
     (groups || "").split(",").sort.uniq
   end

diff --git a/config/astral.yml b/config/astral.yml
@@ -1,6 +1,9 @@
 # Astral configuration
 # Note that values can be supplied here or as environment vars (UPPER_CASE).
 shared:
+  # Set to true and follow setup guide for encrypted sql database fields
+  db_encryption: false
+
   vault_token:
   vault_addr:
   # if VAULT_ADDR is https with self-signed cert, need to provide

diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc