What is the best way of encrypting data at rest with Ecto?

I’m using AWS Cognito for handling user authentication. Cognito facilities authentication through an OAuth2 process. At the end of a successful OAuth authentication I end up with two tokens (access_token, refresh_tooken). These tokens allow anyone to access user information from Cognito so they need to be protected.

Ideally I would like to securely store these tokens in the DB and my question is what is the best way to encrypt columns using Ecto.

I found these references when Google searching but am not sure if these are still valid:

• GitHub - danielberkompas/cloak_ecto: Encrypted fields for Ecto
• GitHub - dwyl/phoenix-ecto-encryption-example: 🔐 A detailed example for how to encrypt data in a Phoenix (Elixir) App before inserting into a database using Ecto Types

What’s the current recommended way of securing DB columns using Ecto?

We’re using cloak_ecto to encrypt data at rest and are pretty happy with it.

Seconding cloak_ecto, zero problems with it and I used it in several projects.

It was only a few lines to generate a random IV and encrypt our strings with aes_256_ctr using Erlang’s standard crypto library so we didn’t bring in cloak for our simple case, but I’ve also heard of teams I work with using it with no complaints.

If the things I just said sound unfamiliar a library might be the way to go as others have recommended