I've got a database that'll be holding sensitive data, so it ought to be encoded within the database. Essentially the sensitive data are qualifications to a different site. So I wish to secure all of them with the customers password + salt.

To decrypt the qualifications you might require the password.

I see two ways: On login, I possibly could decrypt the qualifications, after which store them within the session? Is the fact that safe?


Harder around the user is always to request again for that password before decrypting the saved passwords/ids?

We don't wish to have capability to make use of the saved qualifications ourselves.

I recommend "Security on Rails" with this. It is a tricky subject, so you will need to spend a while reading through up to be able to understand it properly. They cover exactly this subject, including how you can salt the encoded data, unit test to make certain it's encoded, and much more.

Their sample code shows how you can add class techniques to ActiveRecord::Base to ensure that you may make any database column encoded in a single type of code. Certainly an idiomatic Rails approach.

This is an awesome read - the system tests is amazing, so seriously ... download it today.

Incidentally, whenever you stated

We don't wish to have capability to make use of the saved qualifications ourselves.

it becomes clear that since your code receives the unencrypted data in the user's browser, you need to do have the data in memory prior to it being encoded on disk, or when it's unencrypted once the user really wants to use that data later. And bad people could obtain access to that data when they root your box, sneak something right into a Ruby eval(), etc.

Encrypting the information does be very convenient, though. SQL injection attacks can't obtain the decrypted data, for instance.