SeaQL
Model Encryption
Motivation
I'm wondering if there are any plans or rough ideas of a design for SeaORM to support AEAD for certain fields of a model, similar to Active Record Encryption? It would be great if this could be handled transparently by SeaORM, and 2.0's entity-first approach seems to align quite well.
Proposed Solutions
I imagine the UX could be something like the combination of a macro indicating that a column is encrypted, and accompanying trait implementations for encryption of ActiveModel's and decryption of Models:
#[sea_orm::model]
#[derive(Clone, Debug, PartialEq, Eq, DeriveEntityModel)]
#[sea_orm(table_name = "example")]
pub struct Model {
#[sea_orm(primary_key)]
pub id: i32,
#[sea_orm(encrypted)] // encrypted column
pub secret: String,
}
/// Some trait that handles fetching keys and applying encryption on save
impl ActiveModelEncryption for ActiveModel {}
/// Some trait that handles fetching keys and decrypting columns at query time
impl ModelDecryption for Model {}
Alternatives
Perhaps a custom ActiveModel and FromQueryResult struct implementation could accomplish this? However, it would be awesome to be first-class in SeaORM and seems to align with the project's goals.
Additional Information
It would also be interesting to consider how to support the deterministic vs. non-deterministic configurations to allow for querying encrypted data, or migrating from cleartext to encrypted data. https://guides.rubyonrails.org/active_record_encryption.html#support-for-unencrypted-data
