Why and how GitHub encrypts sensitive database columns using ActiveRecord::Encryption

GitHub is implementing ActiveRecord::Encryption in its Ruby on Rails monolith to encrypt sensitive database columns as part of a broader security strategy. Previously, GitHub used an internal library for this purpose, but the transition to ActiveRecord::Encryption aims to simplify encryption processes for developers by adopting more familiar and intuitive patterns. The transition involves customizing existing infrastructure to meet GitHub's scalability and security requirements, such as deriving per-column encryption keys from a primary key using a Key Derivation Function and storing these keys in Hashicorp Vault. This shift also includes making non-compression the default behavior to avoid exposing information about the entropy of encrypted data. The goal is to make encryption seamless and automatic for developers, encouraging better security adoption without requiring them to learn complex or proprietary methods. Future parts of this series will address the challenges of migrating existing columns to the new encryption standard.